Adaptive  Eager  Boolean  Encoding 
for  Arithmetic  Reasoning  in  Verification 


Sanjit  A.  Seshia 
May  2005 
CMU-CS-05-134 


School  of  Computer  Science 
Carnegie  Mellon  University 
Pittsburgh,  PA  15213 

Submitted  in  partial  fulfillment  of  the  requirements 
for  the  degree  of  Doctor  of  Philosophy. 

Thesis  Committee: 

Prof.  Randal  E.  Bryant,  Chair 
Prof.  Edmund  M.  Clarke 
Prof.  Jeannette  M.  Wing 
Prof.  David  L.  Dill,  Stanford  University 


Copyright  ©  2005  Sanjit  A.  Seshia 


This  research  was  sponsored  in  part  by  a  National  Defense  Science  and  Engineering  Graduate  Fellowship,  the  National 
Science  Foundation  under  grant  CCR-9805366,  and  the  U.S.  Army  under  ARO  grant  DAAD19-01-1-0485. 

The  views  and  conclusions  contained  in  this  document  are  those  of  the  author  and  should  not  be  interpreted  as  repre¬ 
senting  the  official  policies,  either  expressed  or  implied,  of  any  sponsoring  institution,  the  U.S.  Government,  or  any  other 
entity. 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

MAY  2005  2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2005  to  00-00-2005 

4.  TITLE  AND  SUBTITLE 

Adaptive  Eager  Boolean  Encoding  for  Arithmetic  Reasoning  in 

Verification 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Carnegie  Mellon  University, School  of  Computer 

Science, Pittsburgh, PA, 15213 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

18.  NUMBER  19a.  NAME  OF 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE 

unclassified  unclassified  unclassified 

222 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Keywords:  Decision  procedures,  automated  theorem  proving,  model  checking.  Boolean  satisfia¬ 
bility,  integer  linear  programming,  quantified  Boolean  formulas,  first-order  logic,  timed  automata, 
difference  constraints,  timed  circuits,  infinite-state  systems,  software  security,  machine  learning, 
verification,  reliability,  security,  UCLID,  TMV. 


Dedicated  to  Appa,  Amma,  Ashwin,  and  Sunny 


Abstract 

Decision  procedures  for  first-order  logics  arc  widely  applicable  in  design  verifica¬ 
tion  and  static  program  analysis.  However,  existing  procedures  rarely  scale  to  large 
systems,  especially  for  verifying  properties  that  depend  on  data  or  timing,  in  addition 
to  control. 

This  thesis  presents  a  new  approach  for  building  efficient,  automated  decision  pro¬ 
cedures  for  first-order  logics  involving  arithmetic.  In  this  approach,  decision  prob¬ 
lems  involving  arithmetic  arc  transformed  to  problems  in  the  Boolean  domain,  such 
as  Boolean  satisfiability  solving,  thereby  leveraging  recent  advances  in  that  area.  The 
transformation  automatically  detects  and  exploits  problem  structure  based  on  new  theo¬ 
retical  results  and  machine  learning.  The  results  of  experimental  evaluations  show  that 
our  decision  procedures  can  outperform  other  state-of-the-art  procedures  by  several  or¬ 
ders  of  magnitude. 

The  decision  procedures  form  the  computational  engines  for  two  verification  sys¬ 
tems,  UCLID  and  TMV.  These  systems  have  been  applied  to  problems  in  computer 
security,  electronic  design  automation,  and  software  engineering  that  require  efficient 
and  precise  analysis  of  system  functionality  and  timing.  This  thesis  describes  two  such 
applications:  finding  format-string  exploits  in  software,  and  verifying  circuits  that  op¬ 
erate  under  timing  assumptions. 
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Chapter  1 


Introduction 


Our  increasing  reliance  on  computer  systems  places  an  ever  greater  need  for  ensuring  that  they  per¬ 
form  as  expected.  Errors  in  system  design  and  implementation  as  well  as  malicious  attacks  pose  a 
major  barrier  to  exploiting  the  benefits  of  computing,  creating  problems  ranging  from  lagging  pro¬ 
ductivity  to  dangerous  vulnerabilities  in  safety-critical  systems.  According  to  a  recent  survey  [117], 
the  cost  of  software  bugs  to  the  U.S.  economy  is  of  the  order  of  60  billion  dollars  every  year,  under¬ 
lining  the  costs  of  failure  in  computer  systems. 

Errors  can  be  found  at  various  stages  in  a  system's  lifetime,  ranging  from  design-time,  through 
compile-time,  to  run-time,  and  even  post-mortem.  It  is  preferable  to  find  errors  as  early  as  possible, 
as  the  costs  of  failure  in  deployed  systems,  particularly  in  unsupervised,  safety-critical  settings,  can 
be  enormous.  Techniques  for  formal  design  verification  and  static  program  analysis  arc  targeted 
towards  improving  the  reliability  and  security  of  systems  before  run-time.  The  input  to  every  such 
technique  comprises  a  system  description  and  a  specification,  and  outputs  a  yes/no  answer  as  to 
whether  the  system  satisfies  its  specification  (and  possibly  “don’t  know”  in  some  cases).  The  scala¬ 
bility  of  these  techniques  depends  on  that  of  the  computational  engines,  or  decision  procedures,  that 
underlie  them.  These  decision  procedures  analyze  a  formal  model,  usually  expressed  in  mathemat¬ 
ical  logic,  to  provide  the  yes/no  answer. 

Decision  procedures  for  decidable  fragments  of  first-order  logic  have  found  use  in  analyzing  many 
kinds  of  systems,  including  application  and  system  software,  gate-level  circuit  designs,  hybrid  sys¬ 
tems,  and  high-level  microprocessor  designs.  For  example,  decision  procedures  play  important 
roles  in  extended  static  checking  [55],  predicate  abstraction-based  software  verification  (e.g.,  [11, 
36,  69]),  finite-state  model  checking  (e.g.,  [33, 41]),  model  checking  timed  systems  (e.g.,  [71]),  and 
processor  verification  (e.g.,  [29, 34]).  Of  these  applications,  the  previous  industrial-scale  appli¬ 
cations  have  been  largely  restricted  to  analyzing  systems  with  Boolean  state  (such  as  finite-state 
systems  or  pushdown  systems)  or  techniques  that  generate  Boolean  abstractions.  These  successes 
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have  been  driven  in  large  paid  by  the  efficiency  of  techniques  for  reasoning  about  and  manipulat¬ 
ing  Boolean  functions,  such  as  Binary  Decision  Diagrams  (BDDs)  [27]  and  Boolean  satisfiability 
(SAT)  solvers  (e.g.,  [63, 104]).  In  this  thesis,  these  techniques  arc  collectively  referred  to  as  Boolean 
methods. 

The  efficiency  benefits  of  modeling  systems  purely  with  Boolean  state  arc  counterbalanced  by  a  loss 
of  modeling  precision.  Reduced  precision  results  in  false  alarms,  and  the  inability  to  verify  proper¬ 
ties  depending  heavily  on  data  and  timing,  in  addition  to  control.  The  successes  of  finite-state  model 
checking  and  predicate  abstraction-based  software  analysis  have  been  restricted  to  analyzing  control 
properties,  such  as  verifying  cache-coherence  protocols  and  checking  device  driver  usage  protocols. 
Examples  of  analyses  that  require  more  precise  modeling  of  data  and  timing  include  detection  of 
malicious  code  (such  as  viruses  or  worms),  high-level  microprocessor  design  verification,  array- 
bounds  checking  and  buffer  overrun  detection,  and  verifying  real-time  systems  and  timed  circuits. 
In  these  tasks,  a  rich  set  of  non-Boolean  data-types  must  often  be  modeled,  including  finite-  and 
arbitrary-precision  integers,  real  and  floating-point  numbers,  memories,  arrays,  and  data  structures 
such  as  queues  or  lists.  The  resulting  decision  problems  arc  only  expressible  in  first-order  logics  or 
sometimes  even  only  in  higher-order  logics.  Previous  decision  procedures  for  these  more  expressive 
logics  have  rarely  scaled  to  industrial-scale  systems  without  some  form  of  manual  assistance. 

This  thesis  presents  a  new  approach  to  building  efficient,  automated  decision  procedures  for  first- 
order  logics  involving  arithmetic  based  on  Boolean  methods.  The  practicality  of  this  approach 
is  demonstrated  by  incorporating  it  in  verification  tools  that  have  been  successfully  applied  to 
industrial-scale  hardware  and  software  systems.  There  arc  two  key  ideas  in  this  approach. 

1 .  Leverage  Boolean  methods:  The  decision  procedures  presented  in  this  thesis  operate  by  per¬ 
forming  a  Boolean  encoding  of  the  decision  problem,  either  as  a  Boolean  satisfiability  (SAT) 
problem,  or  a  problem  involving  manipulation  of  quantified  Boolean  formulas  (QBF).  More¬ 
over,  the  encoding  is  eager ,  meaning  that  it  is  done  in  a  single  step.  This  enables  us  to  easily 
leverage  recent  dramatic  advances  in  Boolean  methods. 

2.  Use  adaptive  encoding:  The  Boolean  encoding  algorithms  arc  adaptive,  meaning  that  an  en¬ 
coding  algorithm  or  its  parameters  arc  automatically  chosen  based  on  the  structure  of  its  input. 
This  is  achieved  by  a  combination  of  theoretical  results  on  formalizing  problem  structure  and 
the  application  of  machine  learning  to  inputs  encountered  in  the  past.  The  use  of  adaptive 
Boolean  encoding  enables  us  to  solve  the  resulting  Boolean  problems  more  efficiently,  in 
many  cases  by  orders  of  magnitude  compared  to  previous  approaches. 

The  decision  procedures  proposed  in  this  thesis  form  the  computational  engines  for  two  verification 
systems,  UCLID  and  TMV.  These  systems  have  been  applied  to  a  variety  of  application  areas;  the 
ones  explored  in  this  thesis  arc  software  security  and  the  verification  of  timed  circuits. 
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1.1  Boolean  Encoding  Techniques 

We  review  and  classify  previous  work  on  decision  procedures  based  on  Boolean  methods  so  as  to 
place  the  contributions  of  this  thesis  in  context.  Detailed  surveys  of  previous  work  on  specific  topics, 
including  application  areas,  arc  included  in  the  corresponding  chapters. 

Decision  procedures  based  on  Boolean  encoding  methods  fall  into  two  main  categories: 

1.  Eager  encoding  methods:  Decision  procedures  in  this  class  perform  the  Boolean  encoding  in 
a  single  step.  For  the  quantifier-free  logics  considered  in  this  thesis,  the  input  formula  is  trans¬ 
lated  to  an  equi-satisfiable  Boolean  formula  in  a  single  step,  and  a  SAT  solver  is  invoked  on 
the  result.  For  the  quantified  logic  considered,  the  translation  generates  a  logically  equivalent 
quantified  Boolean  formula  (QBF),  which  can  be  manipulated  using  well-known  techniques 
for  QBF  based  on  BDDs  or  SAT. 

These  methods  have  been  developed  for  the  theories  of  uninterpreted  functions  and  equal¬ 
ity  [29, 122],  a  restricted  set  of  lambda  expressions  (which  can  model  arrays,  memories,  and 
some  data  structures)  [30],  and  various  theories  of  linear  arithmetic  over  the  integers  and  the 
rationals  [30, 146,  148],  with  very  limited  support  for  quantifiers  [89],  Counterexamples  at  the 
level  of  the  original  logical  theories  are  easily  generated,  by  mapping  back  from  assignments 
generated  by  the  SAT  solver. 

Eager  encoding  techniques  can  be  further  divided  into  two  kinds.  The  first  kind  [28, 30, 
122]  exploit  a  small  model  property  of  the  underlying  theory;  i.e.,  if  a  satisfying  assignment 
exists  for  the  original  formula,  then  there  is  one  in  which  the  values  of  ground  terms  are 
bounded.  This  naturally  leads  to  a  bit-vector  encoding  of  the  ground  terms.  The  second  class 
of  techniques  [32, 62, 148]  are  direct  encoding  techniques,  in  which  each  atomic  predicate 
is  encoded  as  a  Boolean  variable.  The  resulting  Boolean  encoding  is  augmented  with  the 
Boolean  encoding  of  instantiations  of  first-order  axioms,  such  as  congruence  and  transitivity 
of  equality,  over  the  ground  terms  in  the  formula. 

2.  Lazy  encoding  methods:  Procedures  in  this  category  (e.g.,  [8, 13,51, 56])  construct  the  Boolean 
encoding  iteratively.  Provers  based  on  these  methods,  such  as  CVC  and  CVC-Lite  [13, 14], 
ICS  [51],  and  VeriFun  [56],  are  designed  to  handle  a  fairly  general  class  of  first-order  logic;  in 
addition  to  the  theories  handled  by  the  afore-mentioned  eager  techniques,  these  provers  can 
handle  a  subset  of  the  theories  of  bit-vectors,  lists,  and  records,  and  some  also  provide  support 
for  quantifiers.  Another  advantage  of  these  methods  is  that  they  are  typically  designed  to  be 
proof-generating. 

The  lazy  encoding  procedures  work,  in  essence,  as  follows.  They  start  with  a  direct  Boolean 
encoding  of  the  original  formula,  obtained  by  replacing  each  atomic  predicate  with  a  corre- 
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sponding  Boolean  variable.  If  the  SAT  solver  returns  this  formula  to  be  unsatisfiable,  it  means 
that  the  original  formula  is  also  unsatisfiable.  Otherwise,  the  SAT  solver  returns  a  satisfying 
assignment,  which  must  be  checked  for  consistency  with  the  first-order  theories.  This  is  per¬ 
formed  using  a  first-order  prover  for  checking  the  satisfiability  of  conjunctions,  also  known 
as  a  ground  decision  procedure.  If  the  assignment  is  consistent,  then  it  implies  that  the  orig¬ 
inal  formula  is  satisfiable.  Otherwise,  the  proof  of  unsatisfiability  generated  by  the  ground 
decision  procedure  is  analyzed  to  generate  additional  clauses  that  arc  added  to  the  Boolean 
encoding  to  constrain  the  search  of  the  SAT  solver,  and  the  process  repeats. 

The  differences  between  the  various  provers  based  on  lazy  encoding  methods  arc  mainly  with 
respect  to  the  tightness  of  integration  between  the  SAT  solver  and  the  ground  decision  pro¬ 
cedures,  and  the  details  of  the  ground  decision  procedures  themselves.  The  ground  decision 
procedures  arc  generally  based  on  a  technique  for  combining  decision  procedures  for  individ¬ 
ual  theories,  such  as  that  given  by  Nelson  and  Oppen  [109]  or  Shostak  [141]. 

The  lazy  encoding  approach  has  also  been  applied  to  quantifier-elimination  in  decidable  quan¬ 
tified  first-order  logics  [52]. 

The  decision  procedures  proposed  in  this  thesis  fall  into  the  first  category.  The  quantifier-free  logic 
considered  in  this  thesis  is  a  combination  of  the  theories  of  uninterpreted  functions  and  equality, 
quantifier-free  Presburger  arithmetic  [125],  and  the  restricted  set  of  lambda  expressions  mentioned 
above  (described  in  Chapter  7).  In  addition,  this  thesis  presents  the  first  eager  encoding  approach  to 
performing  quantifier-elimination  in  quantified  difference  logic  (described  in  Chapter  8). 

Let  us  compare  lazy  and  eager  encoding  methods  for  the  quantifier-free  fragment  of  first-order  logic 
considered  in  this  thesis. 

Eager  encoding  methods  have  the  advantage  that  the  resulting  SAT  problem  has  all  the  “first-order 
information”  necessary  to  constrain  the  SAT  solver’s  search,  whereas  adding  this  information  lazily 
might  cause  the  SAT  solver  to  explore  many  assignments  that  arc  inconsistent  with  the  first-order 
theories  (exponentially  many  in  the  worst-case).  Also,  with  eager  methods,  it  is  trivial  to  replace 
one  SAT  solver  with  another,  and  thus  readily  leverage  any  advances  in  SAT  solving;  this  can  be  far 
harder  in  lazy  techniques  depending  on  how  tightly  the  SAT  solver  is  integrated  into  the  decision 
procedure. 

On  the  other  hand,  it  is  also  possible  for  eager  encoding  algorithms  to  add  too  much  “first-order 
information,”  generating  SAT  problems  beyond  the  reach  of  current  SAT  solvers.  Lazy  methods  are 
particularly  effective  when  very  little  first-order  reasoning  is  required  (for  example,  when  propo¬ 
sitional  reasoning  suffices  to  decide  unsatisfiability).  Furthermore,  many  lazy  methods  arc  proof¬ 
generating,  which  is  useful  for  certified  verification  (such  as  proof-carrying  code  [106])  as  well 
as  for  abstraction  refinement  [67].  It  is  not  yet  clear  how  to  generate  proofs  with  eager  encoding 
methods,  especially  those  based  on  the  small-domain  encoding. 
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In  the  rest  of  this  thesis,  we  will  compare  eager  and  lazy  methods  for  specific  theories  via  experi¬ 
mental  evaluation. 


1.2  Thesis  Contributions 

My  thesis  statement  is: 

Adaptive  Boolean  encoding  methods  enable  the  construction  of  efficient  and  automated 
decision  procedures  for  expressive  first-order  logics  involving  arithmetic,  increasing  the 
precision  and  scalability  of  verification  tools  for  hardware  and  software  systems. 

This  thesis  makes  contributions  in  a  number  of  areas.  The  main  theoretical  and  conceptual  contri¬ 
butions  include: 

•  The  first  decision  procedure  for  quantifier-free  Presburger  arithmetic  that  is  based  on  a  polynomial¬ 
time,  polynomial-size  translation  to  SAT,  and  which  formally  exploits  the  structure  of  linear 
constraints  in  software  analysis  (Chapter  5); 

•  New  theoretical  results  on  bounding  the  size  of  solutions  for  generalized  2SAT  constraints 
and  quantifier-free  Presburger  arithmetic  (Chapters  4  and  5); 

•  The  first  approach  to  automated  algorithm  selection  in  a  theorem  proving  context,  based  on 
the  use  of  machine  learning  (Chapter  6); 

•  The  first  eager  encoding  approach  for  quantifier  elimination  in  quantified  difference  logic 
(Chapter  8); 

•  The  notion  of  generalized  relative  timing  for  modeling  timing  assumptions  in  circuits  (Chap¬ 
ter  9). 

There  arc  also  several  applied  contributions,  including  tools  and  industrial  case  studies: 

•  A  publicly-available,  multipurpose  verification  tool,  called  UCLID,  for  verifying  systems 
modeled  using  the  quantifier-free  fragment  of  first-order  logic  mentioned  earlier,  with  demon¬ 
strated  applications  in  processor  verification  and  software  security  (Chapter  7); 

•  The  application  of  UCLID  to  finding  a  class  of  security  exploits  cal  led  format-string  exploits, 
demonstrated  on  widely-used  software  packages  (Chapter  7); 


A  fully  symbolic  model  checker,  called  TMV,  for  model  checking  timed  automata  (Chapter  9); 

The  application  of  TMV  to  the  verification  of  timed  circuits,  including  a  published  circuit  of 
the  Pentium  4  microprocessor  (Chapter  9). 
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1.3  Thesis  Overview 

This  thesis  covers  a  wide  range  of  areas,  spanning  theory,  hardware,  and  software.  Accordingly, 
the  thesis  is  organized  into  three  parts,  including  one  on  background  material,  so  that  the  content  of 
each  main  part  of  the  thesis  is  fairly  independent  of  that  of  the  other. 

The  first  paid  of  the  thesis,  comprising  Chapters  2  and  3,  gives  background  material  needed  in  the  rest 
of  the  thesis.  Chapter  2  covers  basic  notation  and  linear  programming  concepts.  Chapter  3  describes 
difference  logic,  a  basic  logic  that  forms  the  foundation  for  the  concepts  in  this  thesis,  and  two 
Boolean  encoding  algorithms:  the  small-domain  encoding  and  the  direct  encoding  algorithm.  The 
material  in  Chapter  3  is  based  on  joint  work  with  R.  E.  Bryant,  S.  K.  Lahiri,  and  O.  Strichman  [30, 
148], 

The  second  paid  of  the  thesis  (Paid  I)  presents  our  new  decision  procedures  for  linear  arithmetic 
over  the  integers,  extensions  to  handle  other  theories,  and  the  implementation  and  application  of 
the  UCLID  system.  Chapter  4  describes  how  the  small-domain  Boolean  encoding  method  can  be 
extended  to  a  logic  of  generalized  2SAT  linear  constraints,  and  is  based  on  joint  work  with  R.  E. 
Bryant  and  K.  Subramani  [138].  Chapter  5  shows  how  the  same  class  of  encoding  algorithms  can 
be  extended  to  quantifier-free  Presburger  arithmetic,  by  exploiting  the  sparse  structure  of  linear 
constraints  in  software  analysis;  this  is  joint  work  with  R.  E.  Bryant  [135].  Chapter  6  compares  the 
two  encoding  algorithms  for  difference  logic  and  shows  how  they  can  be  combined  using  machine 
learning  to  automatically  select  encodings  for  sub-formulae.  A  very  preliminary  version  of  the  work 
in  this  chapter  appeared  in  a  joint  paper  with  R.  E.  Bryant  and  S.  K.  Lahiri  [133],  and  the  material 
in  this  chapter  is  a  substantial  revision  of  that  work.  Part  I  is  closed  by  Chapter  7,  which  describes 
how  theories  other  than  integer  linear  arithmetic  arc  encoded  to  SAT,  along  with  a  description  of 
the  UCLID  verification  system  and  an  application  of  UCLID  to  finding  format-string  exploits.  The 
initial  paid  of  this  chapter  is  based  on  joint  work  with  R.  E.  Bryant  and  S.  K.  Lahiri  [30].  The 
application  to  format-string  exploits  is  based  on  joint  work  with  R.  E.  Bryant,  V.  Ganapathy,  S.  Jha, 
and  T.  W.  Reps  [58];  in  particular,  the  idea  of  viewing  the  format-string  as  a  sequence  of  commands 
to  print f  is  due  to  my  co-authors  Ganapathy,  Jha,  and  Reps. 

The  third  paid  of  this  thesis  (Paid  II)  describes  how  operations  in  quantified  difference  logic  can 
be  handled  using  Boolean  methods,  and  describes  an  application  to  model  checking  timed  circuits. 
Chapter  8  describes  the  operations  on  quantified  difference  logic  (QDL),  and  is  based  on  joint  work 
with  R.  E.  Bryant  [134].  Although  the  content  of  this  chapter  is  used  for  model  checking  timed 
systems,  other  applications  are  possible,  and  the  material  is  fairly  independent  of  the  application  ex¬ 
plored  in  this  thesis.  Chapter  9  describes  how  we  use  the  QDL  operations  in  TMV,  a  model  checker 
for  timed  automata,  and  the  application  of  TMV  to  the  verification  of  timed  circuits.  This  chapter 
also  describes  the  notion  of  generalized  relative  timing,  which  is  a  new  technique  for  modeling  tim- 
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ing  assumptions  in  systems.  The  material  in  this  chapter  is  based  on  joint  papers  with  R.  E.  Bryant 
and  K.  S.  Stevens  [134, 136]. 

Finally,  Chapter  10  summarizes  the  major  conceptual  contributions  and  design  decisions  in  this 
thesis,  and  proposes  several  directions  for  future  work. 


CHAPTER  1.  INTRODUCTION 


Chapter  2 


Preliminaries 


We  introduce  notation  and  concepts  from  linear  programming  that  arc  useful  in  the  rest  of  this  thesis. 
Standard  textbooks  (e.g.  [Ill,  131])  can  be  consulted  for  additional  information. 


2.1  Notation 

We  will  use  m  to  denote  the  number  of  linear  constraints,  and  n  to  denote  the  number  of  variables. 
A  system  of  m  linear  constraints  in  n  variables  is  written  as  follows: 

ix>b  (2.1) 

In  general,  A  —  [ut.j\  is  an  m  x  n  matrix  with  entries  in  R.  b  is  a  m  x  1  vector  of  real- valued  entries, 
and  x  is  a  n  x  1  vector  of  real-valued  variables. 

System  (2.1)  defines  a  polyhedron  in  Rn  formed  by  the  intersection  of  half-spaces  corresponding  to 
the  lineal-  constraints. 

For  Part  I  of  this  thesis,  we  will  only  consider  integer  variables  and  constants;  that  is,  for  all  i  and  j, 
R  .  j  ■  ■  J  '  jj  c  R  ■ 

In  system  (2.1),  the  entries  in  x  can  be  negative.  A  standard  transformation  (see,  e.g.,  [119])  can 
be  used  to  constrain  the  variables  to  be  non-negative.  The  transformation  involves  adding  a  dummy 
variable  j;0  that  refers  to  the  “zero  value,”  replacing  each  original  variable  xt  by  x\  —  x'o,  and  then 
adjusting  the  coefficients  in  the  matrix  A  to  get  a  new  constraint  matrix  A'  and  the  following  system: 


A's!  >  b 
x'  >  0 


(2.2) 
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Note  that  x0  is  an  element  of  the  vector  x'  of  dimension  n  + 1.  Matrix  A'  has  dimensions  m  x  n  A  1. 
where  the  last  column  corresponds  to  xo.  The  (i.  j)lh  entry  of  A'  is  the  same  as  that  for  A  for 
1  <j<n,  and  a'^n+1  is  -  YTj=i  <*ij- 

The  transformation  from  system  (2.1)  to  system  (2.2)  preserves  satisfiability,  as  shown  here: 

Proposition  2.1  System  (2.1)  has  a  solution  if  and  only  if  system  (2.2)  has  one. 

Proof:  For  the  “if  paid”,  suppose  we  have  a  solution  x'  to  (2.2).  Construct  a  candidate  solution 
vector  x  by  setting  xj  —  x'j  —  xq.  Then,  consider  the  zlh  constraint  in  A',  for  any  i.  The  following 
sequence  of  inequalities  holds: 

n 

(XX^)  +  °U+ 1*0  >  bi 

3= 1 

n  n 

(X!  ai,.ixi )  d~  (~  X!  ai,.j)x 0  —  ^ 

3= 1  3=l 

n 

X  -  x'q)  >  bi 

3=1 

n 

X/  ahjXj  —  bi 

3=  1 

Thus,  we  can  conclude  that  the  ?'lh  constraint  of  xl  is  satisfied  by  x  for  all  i.  Thus,  we  have  found  a 
solution  to  system  (2. 1). 

Now  consider  the  “only  if”  paid,  where  we  staid  with  a  solution  to  system  (2.1).  Clearly,  any  value  of 
xr  that  sets  x'  =  xj  +  xq  for  all  j  will  satisfy  A'-x!  >  b.  But  we  also  need  to  satisfy  x'  >  0.  If  none 
of  the  Xj  arc  negative,  then  simply  set  x'j  —  xj  and  xq  =  0  and  we  arc  done.  Otherwise,  set  xq  — 
—  minjt;Xjfe<0  Xk,  and  set  x'j  —  Xj  +  xq .  Note  that  x'o  >  0  by  construction.  Thus,  if  for  a  particular  j, 
Xj  >  0,  then  x'j  >  0.  Suppose  not.  Then,  Xj  >  miiiA:.,x:fc<o  xk  and  so  x'j  —  Xj  —  minA,Xfc<o  xk  A  0. 
Thus,  we  have  a  solution  x'  that  satisfies  (2.2).  □ 

Finally,  we  define  the  quantities  amax  and  6max  as  follows: 

®max  =  max  |oj  j\  (2.3) 

(i,3) 

bmax  -  max  |h<|  (2.4) 

In  words,  the  quantity  bmax  is  the  L ^  norm  of  the  vector  b.  We  note  that  amax  and  6max  are  (tight) 
upper  bounds  on  the  absolute  values  of  entries  of  A  and  b  respectively. 
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2.2  Variable  Classes 

Given  a  set  of  m  linear  constraints  over  n  variables,  the  set  of  variables  can  be  partitioned  into 
subsets  as  follows:  Two  variables  arc  placed  in  the  same  subset  if  there  is  a  constraint  in  which  they 
both  appeal-  with  non-zero  coefficients.  We  will  refer  each  resulting  subset  as  a  variable  class. 

If  the  set  of  constraints  appeal's  in  a  system  of  constraints,  like  system  2.1,  then  partitioning  variables 
into  variable  classes  corresponds  to  partitioning  the  system  into  sub-systems  that  can  be  solved 
independently  of  each  other.  (In  matrix  terms,  the  matrix  A  is  transformed  to  block-diagonal  form.) 
Importantly,  note  that  this  partitioning  optimization  can  be  performed  before  adding  the  “zero” 
variable  xq.  A  different  zero  variable  is  then  used  for  each  variable  class. 

The  notion  of  variable  classes  can  be  extended  to  Boolean  combinations  of  linear  constraints  by 
applying  it  to  the  set  of  all  linear  constraints  appealing  in  the  formula.  For  example,  consider  the 
formula 

Xl  +  X2  >  1  A  ( X2  —  X3  >  0  V  Xi  —  x$  >  o) 

In  this  case,  variables  x\.  X2,  and  X3  fall  into  one  class,  while  x.\  and  X5  will  be  put  into  a  different 
class. 


2.3  Fourier-Motzkin  Elimination 

Fourier-Motzkin  (FM)  elimination  [49]  is  a  classic  technique  for  projecting  a  variable  from  a  set  of 
lineal'  constraints. 

Consider  system  (2.1).  In  order  to  obtain  the  system  of  linear  constraints  after  projecting  out  variable 
Xj ,  FM  elimination  proceeds  as  follows: 

1.  Partition  the  system  of  constraints  into  three  sets  Pj,  Nj,  Zj  as  follows.  For  each  constraint  i, 
1  <  i  <  m,  we  add  it  to: 

Pj,  if  aUJ  >  0; 

Nj,  if  a,ij  <  0; 

Zj,  otherwise. 

2.  Initialize  the  set  of  new  constraints,  ‘I*,  to  Zj. 

3.  For  every  pair  of  constraints  (ip,  i:y),  where  ip  £  Pj  and  Tv  £  Nj,  add  the  following 
constraint  to  <I>: 

n 

{aip,j  '  aiN,k  ~  aip,k  '  aiN,j)  '  Xk  >  bi 

k  1 
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Clearly,  the  coefficient  of  Xj  in  every  constraint  in  $  is  0. 

If  x  £  Kn ,  this  transformation  preserves  satisfiability.  In  other  words,  there  is  a  solution  to  the 
system  of  constraints  in  $  if  and  only  if  there  is  one  to  the  system  (2.1).  Thus,  by  using  FM 
elimination  to  project  out  all  variables,  we  can  conclude  that  the  original  system  is  satisfiable  if  and 
only  if  the  system  with  zero  variables  does  not  have  a  trivially  false  constraint  (such  as  0  >  1). 

In  the  worst  case,  the  number  of  new  constraints  generated  by  n  steps  of  FM  elimination  can  be 
rn2"' ,  i.e.,  doubly  exponential  in  the  input  size  [37]. 


Chapter  3 


Difference  Logic 


A  simple  but  extremely  useful  form  of  linear  constraint  is  the  difference  constraint.  This  chapter 
presents  Boolean  encoding  techniques  for  a  logic  of  difference  constraints,  termed  as  difference 
logic.  These  encoding  techniques  form  the  basis  for  many  ideas  in  the  rest  of  this  thesis. 

Definition  3.1  A  difference  constraint  is  a  linear  constraint  of  the  form  xt  —  Xj  tx  b/  or  xt  tx  bt. 
where  Xi  and  Xj  are  real-valued  variables,  bt  is  a  real-valued  constant,  and  tx  denotes  a  relational 
symbol  in  the  set  {>,>,=,<,  <}. 

A  constraint  of  the  form  Xi  m  bt  can  be  written  as  xt  —  xq  tx  bt  where  xq  is  a  special  “variable” 
denoting  zero.  This  convention  is  followed  in  the  rest  of  the  thesis,  unless  stated  otherwise. 

Difference  constraints  arc  also  referred  to  in  the  literature  as  difference-bound  constraints  or  sepa¬ 
ration  predicates ,  and  difference  logic  is  also  commonly  termed  as  separation  logic.  We  will  use 
DL  as  an  acronym  for  difference  logic. 


bool-expr  true  |  false  |  bool-var  \  -^bool-expr 

|  {bool-expr  A  bool-expr)  |  ( num-expr  >  num-expr ) 
num-expr  Xi\  num-expr  +  b  \  lTE(bool-expr,  num-expr,  num-expr ) 

Figure  3.1:  Difference  logic  syntax.  Xi,  0  <  i  <  n,  and  b  denote  a  variable  and  constant  respec¬ 
tively. 

Figure  3.1  summarizes  the  expression  syntax  for  difference  logic.  Expressions  can  be  of  two  types: 
numerical  or  Boolean.  Boolean  expressions  are  formed  by  using  Boolean  connectives  to  combine 
equalities,  inequalities,  or  Boolean  variables.  Numerical  expressions  arc  either  numerical  (integer 
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or  real)  variables,  or  arc  formed  by  adding  a  constant  offset  to  numerical  expressions,  or  by  applying 
the  ITE  (“if-then-else”)  operator.  The  ITE  operator  chooses  between  two  values  based  on  a  Boolean 
control  value,  i.e.,  477: (true,  x \ .  X2 )  yields  x\  while  /7’£( false,  x\.  x^)  yields  x^.  Boolean  and 
relational  operators  not  used  in  Figure  3.1  can  be  expressed  in  terms  of  those  employed. 

Remarks  on  notation 

Note  that  the  grammar  in  Figure  3.1  permits  real  and  integer  variables  to  be  mixed  in  relational 
comparisons  and  if-then-else  expressions.  For  the  purposes  of  this  thesis,  we  will  consider  either 
only  integer  variables,  or  only  real  variables,  depending  on  the  context.  For  the  remainder  of  this 
chapter,  we  will  restrict  all  variables  and  constants  to  be  integer- valued. 

Second,  as  noted  in  Chapter  2,  multiple  zero  variables  will  usually  be  introduced,  one  for  each 
variable  class.  In  the  rest  of  this  chapter,  we  will  assume  that  these  variables  have  already  been 
introduced  into  the  DL  formula,  so  that  every  difference  constraint  comprises  exactly  two  variables, 
each  taking  values  in  N. 

Finally,  although  the  syntax  permits  us  to  write  expressions  of  the  form  num-expr  >  num-expr,  we 
will  use  notation  in  which  only  variables  appear-  only  on  the  left-hand  side,  and  no  more  than  one 
constant  term  appears  on  the  right-hand  side.  Thus,  a  difference  constraint  will  usually  be  written 
either  as  xt  —  xj  >  l>i  or  as  x%  >  xj  +  fy. 


Complexity  of  the  decision  problem 

The  problem  of  deciding  the  satisfiability  of  a  DL  formula  F^jj  over  the  integers  is  NP  complete.  It 
is  NP-hard  since  Boolean  satisfiability  can  be  trivially  reduced  to  it.  In  addition,  it  is  in  NP  because 
the  logic  has  a  small-model  property.  A  DL  formula  F(itjj  is  satisfrable  if  and  only  if  there  exists  a 
satisfying  assignment  whose  size,  measured  in  bits,  is  polynomially  bounded  in  the  size  of  F^jj.  A 
proof  of  the  latter  property  is  presented  in  Section  3.2. 

However,  if  we  restrict  the  syntax  of  DL  by  disallowing  Boolean  variables,  ITE  expressions,  and  all 
Boolean  connectives  except  A,  the  satisfiability  problem  is  polynomial-time  solvable.  This  restricted 
problem  is  simply  that  of  finding  a  feasible  solution  to  a  system  of  difference  constraints,  and  can 
be  solved  using  a  formulation  as  a  shortest -path  problem  [43]. 

Overview 


In  this  chapter,  we  present  two  approaches  to  deciding  difference  logic  via  eager  encoding  to  SAT: 


3.1.  CONSTRAINT  GRAPH 
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1.  Small-Domain  Encoding  [30]:  This  approach  exploits  the  small-model  property  of  DL,  and 
works  as  follows: 

(a)  Compute  the  polynomial  bound  S  on  solution  size. 

(b)  Search  for  a  satisfying  solution  to  Fdljj  in  the  bounded  space  {0, 1, . . .  ,2s  —  l}n. 

The  small-domain  encoding  approach  is  also  termed  as  finite  instantiation. 

In  the  methods  described  in  this  thesis,  the  search  in  Step  (b)  is  conducted  using  a  SAT  solver. 
To  do  this,  Ffijjj  is  translated  to  a  Boolean  formula  by  encoding  each  integer  variable  as  a 
vector  of  Boolean  variables  of  length  S.  Arithmetic  and  relational  operators  arc  encoded  as 
arithmetic  circuits  and  comparators. 

However,  note  that  a  non-SAT-based  search  technique  can  just  as  well  be  used. 

2.  Direct  Encoding  [148]:  A  decision  procedure  based  on  the  direct  encoding  method  operates 
in  4  steps: 

(a)  Eliminate  the  ITE  construct  from  the  formula,  to  get  a  formula  that  is  a  Boolean  combi¬ 
nation  of  difference  constraints. 

(b)  Replace  each  unique  difference  constraint  with  a  fresh  Boolean  variable  to  get  a  Boolean 
formula  Fhvar . 

(c)  Generate  a  Boolean  formula  FariQ,:  that  constrains  the  values  of  the  introduced  Boolean 
variables  so  as  to  preserve  the  arithmetic  information  in  the  original  formula. 

(d)  Decide  the  satisfiability  of  Boolean  formula  F/lvar  A  Far,ltd  using  a  SAT  solver. 

The  direct  encoding  approach  has  also  been  termed  as  per-constraint  encoding. 

At  the  time  of  writing  this  thesis,  all  decision  procedures  based  on  eager  encoding  to  SAT  can  be 
viewed  as  instances  of  one  of  the  above  two  methods. 


3.1  Constraint  Graph 

We  begin  by  describing  a  basic  data  structure  used  in  the  rest  of  this  chapter. 

Given  a  set  of  m  difference  constraints  involving  n  variables,  we  construct  a  weighted,  directed 
multigraph  as  follows: 

1.  A  vertex  v%  is  introduced  for  each  variable  xt. 

2.  For  each  difference  constraint  of  the  form  x%  —  Xj  >  bt,  wc  add  a  directed  edge  from  vt  to  Vj 
of  weight  bt  ■ 
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The  resulting  structure  has  m  edges  and  n  vertices  and  is  termed  the  constraint  graph.  It  is,  in 
general,  a  multigraph  since  there  can  be  multiple  constant  (right-hand  side)  terms  for  a  given  left- 
hand  side  expression  xt  —  xj.  However,  we  will  refer  to  it  simply  as  a  graph. 

Example  3.1  Consider  the  following  set  of  8  constraints  involving  7  variables: 


X1 

-  X2 

> 

0 

X5 

-  Xq 

> 

50 

X2 

-  X3 

> 

0 

x6 

—  X4 

> 

-100 

X3 

~  Xi 

> 

1 

Xq 

-x5 

> 

-49 

X4 

~  x5 

> 

100 

x7 

—  Xi 

> 

-100 

The  constraint  graph  representing  the  above  set  of  constraints  is  depicted  in  Figure  3.2  □ 


Figure  3.2:  Example  of  constraint  graph 


3.2  Small-Domain  Encoding 

The  crucial  piece  of  information  needed  to  implement  the  small-domain  encoding  method  is  the 
bound  on  solution  size,  S. 

In  this  section,  we  obtain  a  bound  d  on  the  values  of  variables  in  a  DL  formula  such  that  it  is 
sufficient  only  to  search  for  satisfying  solutions  in  the  space  {0, 1,2,...  ,  d\n .  Then,  S  is  computed 
using  the  following  equation: 


S  =  [log(o?+  l)] 


(3.1) 


We  prove  the  following  theorem: 

Theorem  3.1  Let  F^jj  be  a  DL  formula  with  n  variables.  Let  bmax  be  the  maximum  over  the 
absolute  values  of  all  difference  constraints  in  F^iff.  Then,  F^jy  is  satisfiable  if  and  only  if  it  has  a 
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solution  in  {0. 1.2....  ,  d}n  where 


d  -  (n  -  1)  ■  (&max  +  1) 


Proof:  The  “if”  part  of  the  proof  is  trivial.  Let  us  consider  proving  the  “only  if”  paid. 

Assume  initially  that  F^g  does  not  have  any  ITE  expressions. 

Since  F^g  is  satisfiable,  let  cr  be  a  satisfying  assignment.  Under  o,  each  difference  constraint 
evaluates  to  true  or  false.  Construct  the  set  of  difference  constraints  $  as  follows: 

1.  If  o[xi  —  xj  >  bt]  —  true,  add  Xi  —  Xj  >  bt  to  <b. 

2.  If  a[xi  —  Xj  >  bt]  —  false,  add  the  negation  of  xt  —  Xj  >  bt ,  viz.,  Xj  —  x\  >  —bt  +  1,  to  <I>. 

Consider  the  constraint  graph  Q  corresponding  to  <I>.  There  arc  n  vertices,  one  for  each  variable,  and 
at  most  m  edges,  one  for  each  constraint  or  its  negation.  Note  that,  while  negating  constraints,  the 
constant  term  can  increase  by  at  most  1.  Therefore,  the  weight  of  any  edge  in  Q  is  at  most  6max  +  1 
in  absolute  value. 

The  constraint  corresponding  to  each  edge  in  Q  is  true  under  cr.  Therefore,  there  cannot  be  any 
cycles  in  the  graph  such  that  the  sum  of  the  weights  of  the  cycle’s  edges  is  positive. 

Now,  construct  a  graph  Q'  as  follows: 

1.  Negate  the  weight  of  every  edge  in  Q.  Thus,  there  is  an  edge  from  vt  to  vj  of  weight  bt  in  Q' 
iff  Xi  —  Xj  >  —bt  is  a  constraint  in  <I>. 

2.  Introduce  a  source  vertex  nSOUrce^  and  edges  of  weight  0  from  nS0Urce  to  every  vt . 

Shortest  paths  6t  from  nSOUrce  to  every  vt  are  guaranteed  to  exist  since  there  are  no  negative  cycles 
in  Q' .  Moreover,  for  every  edge  in  Q'  from  vt  to  Vj  of  weight  bt,  Sj  <  S,  +  bt.  In  other  words,  an 
assignment  o'  such  that  a'[xi]  =  S,  is  a  satisfying  assignment  to  F^g. 

Any  path  in  Q'  has  at  most  n  —  1  edges,  each  of  weight  at  most  6inax  +  1.  Therefore,  for  all  i, 
Sj  -  o'[xi]  <  (n  -  1)  •  (6max  +  1). 

Thus,  there  exists  a  satisfying  solution  in  {0, 1,2,...  ,  d}n  where 


d  =  (n  -  1)  ■  (6max  +  1) 
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Finally,  if  has  ITE  expressions,  we  can  eliminate  them  using  the  rewrite  rule 
ITE(bool-expr.  num-expr l5  num-expr2 )  >  num-expr 3 

I 

[( bool-expr  ==>  num-expr  1  >  num-expr 3)  A  (-1 bool-expr  =>  num-expr2  >  num-expr 3)] 

Application  of  this  rewrite  rule  cannot  decrease  the  values  of  n  or  bmax.  Thus,  the  bound  d  applies 
even  if  Ffitjj  has  ITE  expressions.  □ 

We  observe  that  S  —  (9  (log  n  ■  log  6max),  which  is  polynomial  in  the  input  size. 

Remark  3.1  Note  that  the  above  analysis  is  conservative  in  two  respects: 

1.  Suppose  that  there  are  multiple  variable  classes.  There  arc  no  edges  between  vertices  cor¬ 
responding  to  different  variable  classes,  and  hence  a  separate  bound  can  be  computed  and 
employed  for  each  class.  If  nt  and  6maxj  are  values  of  n  and  6max  for  variable  class  i,  a  bound 
of  (n*  —  1)  •  (&maxj  +  1)  suffices  for  variables  in  that  class. 

2.  The  term  (n  —  1)  •  (6max  +  1)  can  be  replaced  by  Yl]=i  \bij  +  1|,  where  bn,bl2, . .  .  ,  bin_1 
arc  the  n  —  1  largest  elements  of  b,  in  absolute  value. 

□ 

Example  3.2  Consider  the  following  DL  formula: 

{x\  >  X2  A  X2  >  X3  A  X3  >  X\  +  1) 

V 

(x4  >  X5  +  100  A  ITE(xx,  >  xq  +  50,  xq,  X7)  >  X4  —  100) 

There  are  two  variable  classes,  viz.,  {xi,X2,  X3}  and  {X4,  X5,  xq,  X7}. 

For  the  first  class,  n  —  3  and  6inax  =  1.  The  value  of  d  is  therefore  2-2  =  4. 

For  the  second  class,  n  —  4  and  bmax  —  100.  The  value  of  d  is  therefore  3  •  101  =  303. 

Using  the  observation  made  in  Paid  (2)  of  Remark  3.1  does  not  improve  the  above  bounds.  □ 

Complexity 

Computing  n  and  6inax  requires  a  linear  scan  of  the  input  DL  formula. 

The  propositional  encoding  can  also  be  done  in  polynomial  time.  Each  variable  is  encoded  using  S 
bits,  and  S  is  polynomial  in  the  input  size.  Adder,  comparator,  and  multiplexor  circuits  (required  to 
encode  the  operators  +,  >,  and  ITE  respectively)  arc  all  polynomial  in  the  size  of  their  arguments. 
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Thus,  the  small-domain  encoding  method  can  be  performed  in  polynomial  time.  Furthermore,  the 
resulting  encoding  is  polynomial  in  the  size  of  the  input  DL  formula. 


3.3  Direct  Encoding 

Given  a  DL  formula  F^jj.  the  Direct  method  translates  it  to  an  equi-satisfiable  Boolean  formula 
Fbool  in  the  following  4  steps: 

1.  Preprocessing:  First,  all  ITE  expressions  arc  eliminated  from  Fdtjj  by  recursively  using  the 
following  rewrite  rules: 

ITE(bool-expr ,  num-expr  num-expr2 )  >  num-expr3 

I 

[( bool-expr  A  num-expr l  >  num-expr 3)  V  (-> bool-expr  A  num-expr2  >  num-expr 3)]  (3.2) 

num-expr i  >  1TE(bool-expr.  num-expr 2.  num-expr 3) 

I 

[( bool-expr  A  num-expr l  >  num-expr2 )  V  (-> bool-expr  A  num-expr1  >  num-expr 3)]  (3.3) 
Next,  negations  are  eliminated  from  the  resulting  formula.  Let  the  result  be  Fnorm . 

2.  Generate  Boolean  skeleton:  Each  difference  constraint  xt  >  Xj  +  b  in  Fnorm  is  replaced 
by  a  fresh  Boolean  variable  e\  y  This  preserves  only  the  Boolean  structure  of  Fnorm.  The 
resulting  Boolean  formula  is  denoted  by  Ff)Var . 

3.  Generate  transitivity  constraints:  In  order  to  preserve  the  arithmetic  information  in  Fnorm, 
constraints  arc  generated  to  disallow  satisfying  assignments  to  F},var  that  cannot  be  extended 
to  a  satisfying  assignment  to  Fnorm.  These  constraints,  termed  as  transitivity  constraints,  arc 
generated  as  follows: 

(a)  Construct  the  constraint  graph  Qnorm  corresponding  to  the  set  of  difference  constraints 
appealing  in  Fnorm. 

(b)  Initialize  the  Boolean  formula  Ftrans  to  true. 

(c)  Pick  a  vertex  v%.  (Usually,  vt  is  a  vertex  for  which  the  product  of  its  in-degree  and 
out-degree  is  minimum.)  If  no  vertex  exists,  skip  to  Step  (4). 

Let  (vj ,  Vi,  b\  )  and  (vu  Vk ,  b-2 )  denote  a  pair  of  incoming  and  outgoing  edges  incident  at 
Vi .  For  every  such  pair: 
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-  If  j  zfz  k,  we  add  the  edge  (vj,  Vk,  b\  +  b-2)-  Additionally,  we  update  Ftmns  as 
follows: 


^ trans  4  -Straws  A  (e^T 


ho 


,bi  +62  \ 
'J',*  J 


Ffrans  4  Firans  A  A 


false) 


(d)  Delete  n,  and  all  its  incident  edges,  and  return  to  Step  (3c). 

Note  that  the  vertex  elimination  step  in  the  above  procedure  is  Fourier-Motzkin  elimination 
viewed  graph-theoretically. 

4.  Assemble  Boolean  encoding:  The  final  Boolean  encoding  Fb00i  is  F()Var  A  Ftmns. 


Theorem  3.2  F^g  and  F^ooi  are  equi-satisfiable. 

Proof:  First,  note  that  F^g  and  Fnorm  arc  equi-satisfiable.  Secondly,  if  Fnorm  is  satisfiable,  so 
is  Ff,00[ ,  since  the  assignment  to  difference  constraints  in  Fnorm  can  be  directly  applied  to  satisfy 
Fbool  ■ 

We  therefore  focus  on  proving  that  if  F^ooi  is  satisfiable,  so  is  Fnorm.  In  particular,  we  claim  we  can 
extend  any  satisfying  assignment  <7  of  Fi)00i  to  Fnorm  such  that 

a[xi  >  Xj  +  b]  —  cr[e-N] 

We  will  say  that  an  edge  (vt,  Vj,  b)  of  Qnorm  is  true  if  <r[e^]  =  true. 

The  formula  Fnorm  is  satisfied  by  <7  if  Gnorm  does  not  contain  any  cycles  of  positive  cumulative 
weight  with  all  edges  true.  We  will  show  that  under  <7,  at  least  one  edge  of  each  positive  weight 
cycle  must  be  false. 

Consider  an  arbitrary  cycle  C  :  v  \ .  V2  ■  ■  ■  ,  vn  ■  v\  of  positive  cumulative  weight.  Let  b-2-  63  •  •  ■  ,  bn.  b\ 
be  the  weights  of  edges  (rq,  r^),  (rq :  tq ) , . . .  ,  (vn .  v  1 )  respectively  and  let  w(C)  denote  the  cumu¬ 
lative  weight  of  cycle  C.  Thus,  w(C )  =  Y17=  1  ^ *  >  0. 

Assume  without  loss  of  generality  that  the  elimination  order  is  v\  <  V2  <  ■  ■  ■  <  vn.  Stalling 
with  Co  —  C,  the  fth  elimination  step  results  in  a  new  cycle  Ct  such  that  \C%\  —  \ Ct  1 1  —  1  and 
w{Ci)  —  w(Ci- 1).  Each  projection  adds  a  transitivity  constraint.  For  example,  the  first  elimination 
adds  ef  ,  A  ebf2  =>  e*1^2.  In  the  (n  —  l)th  elimination  step  we  arc  left  with  a  cycle  between 
vn  1  and  vn  of  weight  w(C),  at  which  step  the  projection  method  replaces  the  implicant  with  false. 
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All  together,  the  following  conjunction  of  constraints  appeal's  in  F\ 


trans  ■ 


en,  1  A  ei% 

A 

Jn+b2 
en,  2 

fii+b2  A  63 
n, 2  A  e2,3 

bi+b2+b3 
en,  3 

A 


A 


EiU1  bi  ^  b„ 

cn,n— 1  /x  cn— l,n 


=>■  false 

This  chain  of  constraints  forces  at  least  one  of  the  edges  to  be  false.  □ 


Example  3.3  We  illustrate  the  Direct  encoding  method  using  the  DL  formula  introduced  in  Ex¬ 
ample  3.2,  reproduced  below: 

(x'l  >  X2  A  X2  >  X3  A  X3  >  X\  +  1) 

V 

(x/[  >  x$  +  100  A  ITE{x§  >  xq  +  50,  x§.  x-j)  >  X4  —  100) 

The  main  steps  ai'e  outlined  below: 

1.  After  eliminating  the  ITE  expression,  we  obtain  the  following  DL  formula: 

{x\  >  X2  A  X2  >  X3  A  X3  >  X\  +  1) 

V 

( X4  >  x§  +  100  A  [(^5  >  xq  +  50  A  xq  >  X4  —  100)  V  (-12:5  >  x§  +  50  A  x-j  >  X4  —  100)]) 
Next,  we  obtain  the  negation-free  form  Fnorm : 

{x\  >  X2  A  X2  >  X3  A  X3  >  X\  +  1) 

V 

( X4  >  £5  +  100  A  [(x'5  >  xq  +  50  A  xq  >  X4  —  100)  V  ( xq  >  x$  —  49  A  xj  >  X4  —  100)]) 


2.  The  Boolean  skeleton  Ff,var  is: 


(el,2  A  e2,3  A  e3,l) 


V 


(el%°  A  [(e™Ae6-r)  V  (e6,f  A  e^00)]) 
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3.  The  constraint  graph  Qnorm  corresponding  to  Fnorm  is  the  graph  depicted  in  Figure  3.2. 

Suppose  we  perform  Fourier-Motzkin  elimination  using  the  heuristic  of  picking  the  vertex 
for  which  the  product  of  in-degree  and  out-degree  is  minimum.  One  order  generated  by  this 
heuristic  is  V2  <  V3  <  v\  <  vy  <  V4  <  V5  <  v6.  The  resulting  graph  is  shown  in  Figure  3.3. 

The  formula  Ftmns  comprising  of  the  generated  transitivity  constraints  is 


Figure  3.3:  Illustration  of  Direct  encoding.  The  final  state  of  the  constraint  graph  is  shown,  with 
original  edges  indicated  by  solid  lines  and  new  edges  indicated  by  dashed  lines. 

Complexity 

In  the  worst  case,  the  Direct  encoding  can  generate  exponentially  many  transitivity  constraints  in 
the  problem  size.  Here  is  an  example  that  demonstrates  this  worst-case  behavior. 

Example  3.4  Consider  the  constraint  graph  in  Figure  3.4.  It  is  cyclic  on  n  vertices  v  1 ,  ■■■  ■  ,vn. 

There  arc  n  edges  going  from  v%  to  vt+i  for  1  <  i  <  n  —  1  and  also  from  vn  to  v\  to  close  the 
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cycles.  The  weights  on  the  edges  are  chosen  as  follows.  For  1  <  i  <  n  —  1,  the  weights  on  edges 
going  from  Vi  to  Vi+\  are  0,  2n*~1, ...  ,  (n  —  T)n1^1.  The  weights  on  edges  going  from  vn  to 

v\  are  0,  2nn~1, ...  ,  (n  —  1  )rin~1 . 

Observe  that  there  are  nn  distinct  simple  cycles  in  this  graph,  each  with  a  different  cumulative 
weight  in  the  range  [0,  nn  —  1]. 

Thus,  no  matter  what  order  of  vertex  elimination  we  select,  in  the  (n  —  2)th  vertex  elimination  step, 
there  will  be  nn  1  new  edges  added.  Each  of  these  edges  will  form  one  edge  of  a  two-edge  cycle  of 
cumulative  weight  in  the  range  [0,  nn  —  1]. 

Since  every  two-edge  cycle  yields  a  corresponding  transitivity  constraint,  0(nn )  transitivity  con¬ 
straints  will  be  generated  on  this  example. 

The  weight  of  each  edge  in  the  starting  graph,  encoded  in  binary,  requires  0(n  log  n)  space  and 
there  are  n2  edges  to  start  with.  Thus,  this  example  illustrates  the  worst-case  scenario.  □ 


n  —  1 


Figure  3.4:  Example  demonstrating  exponential  blow-up  of  Direct  encoding 


3.4  Related  Work 

The  small-domain  and  direct  encoding  algorithms  were  originally  proposed  for  deciding  equality 
logic  (and  uninterpreted  functions)  via  translation  to  SAT.  Pnueli  et  al.  [122]  and  Bryant  et  al.  [28] 
proposed  different  small-domain  encoding  algorithms.  The  former  is  based  on  range  allocation, 
where  the  structure  of  the  formulas  is  analyzed  so  as  to  generate  a  set  of  values  (not  necessarily 
in  a  contiguous  range)  for  each  variable  over  which  it  suffices  to  search  for  satisfying  solutions. 
The  latter  approach  is  based  on  the  notion  of  positive  equality,  where  the  polarity  of  equalities 
in  the  formula  is  analyzed  to  reduce  the  small-domain  size  for  certain  variables  to  singleton  sets. 
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The  origins  of  the  direct  encoding  algorithm  arc  in  a  paper  by  Goel  et  al.  [62],  where  the  Boolean 
reasoning  is  BDD-based.  Bryant  and  Velev  [32]  later  proposed  the  direct  encoding  algorithm  for 
equality  logic  based  on  generating  transitivity  constraints;  the  encoding  algorithm  for  difference 
logic  described  in  this  chapter  is  an  extension  of  their  work. 

Recently,  Talupur  et  al.  [153]  have  proposed  an  extension  of  Pnueli  et  al.’s  range  allocation  method 
for  difference  logic.  While  the  domains  computed  using  their  method  can  be  far  more  compact  than 
the  one  derived  in  this  chapter,  the  algorithm  for  computing  those  domains  is  currently  a  perfor¬ 
mance  bottleneck. 


3.5  Discussion 

The  small-domain  encoding  method  can  be  viewed  as  a  “model  checking  approach”  to  deciding  the 
satisfiability  of  DL,  since  it  searches  for  a  model  for  the  formula  over  a  finite  domain.  On  the  other 
hand,  the  direct  encoding  method  can  be  viewed  as  a  “theorem  proving  approach,”  since  it  is  based 
on  creating  enough  Boolean  instances  of  the  axiom  of  transitivity  so  as  to  preserve  satisfiability. 

An  experimental  comparison  of  the  SD  and  Direct  encoding  methods  will  be  made  in  Chapter  6. 

In  the  remainder  of  this  thesis,  we  will  extend  the  SD  and  Direct  encoding  methods  to  apply  to 
richer  logics. 


Part  I 

SAT-Based  Decision  Procedures 


Chapter  4 


Generalized  2SAT  Constraints 


Generalized  2SAT  constraints  arc  a  special  class  of  linear  constraints  over  integer  variables.  A 
generalized  2SAT  (G2SAT)  constraint  (also  called  a  unit  two  variable  per  inequality  or  UTVPI  con¬ 
straint)  has  at  most  two  variables,  and  variable  coefficients  arc  in  {—1, 1}.  The  variables  arc  not 
required  to  have  finite  upper  or  lower  bounds.  Useful  optimization  problems,  such  as  the  mini¬ 
mum  vertex  cover  and  the  maximum  independent  set  problems,  can  be  modeled  using  generalized 
2SAT  constraints,  and  several  applications  of  constraint  logic  programming  and  automated  theorem 
proving  also  generate  G2SAT  constraints  (e.g.,  see  [10,  81]). 

A  G2S AT  formula  is  a  Boolean  combination  of  G2SAT  constraints.  In  this  chapter,  we  consider  the 
problem  of  checking  the  satisfiability  of  G2SAT  formulas.  It  is  easily  seen  that  this  problem  is  NP- 
complete.  However,  the  special  case  of  checking  satisfiability  of  a  conjunction  of  G2SAT  constraints 
(i.e.,  finding  a  feasible  integer  point  in  a  G2SAT  polyhedron)  can  be  solved  in  polynomial  time;  for 
example,  a  modified  version  of  Fourier-Motzkin  elimination  (reviewed  in  Section  4.2)  runs  in  0(n 3) 
time. 

Current  approaches  (e.g.,  [10])  to  checking  the  satisfiability  of  a  G2SAT  formula  employ  a  combi¬ 
nation  of  Boolean  satisfiability  solving  and  linear  constraint  solving.  Truth  values  arc  assigned  to 
lineal-  constraints  so  that  the  G2SAT  formula  is  satisfied.  Each  such  truth  assignment  corresponds  to 
a  G2SAT  polyhedron.  If  this  polyhedron  has  a  feasible  integer  point,  that  point  satisfies  the  original 
G2SAT  formula  as  well.  If  not,  another  truth  assignment  must  be  found.  Given  a  G2SAT  formula 
Fgsat  with  m  constraints  and  n  variables,  and  assuming  that  integer  feasibility  is  checked  using 
the  afore-mentioned  modified  Fourier-Motzkin  elimination  algorithm,  the  current  techniques  have  a 
worst-case  running  time  of  0(2m  ■  n3).1 

In  this  chapter,  we  prove  that  a  satisfying  solution  exists  for  a  G2SAT  formula  F 2Sat  if  and  only  if 
there  is  a  solution  to  F2sat  with  each  variable  taking  values  in  the  finite  range  [— n  •  (6max  +  1),  n  ■ 
Assuming  the  trivial  worst-case  bound  of  0(2N)  for  checking  satisfiability  of  a  Boolean  formula  in  N  variables. 


28 


CHAPTER  4.  GENERALIZED  2SAT  CONSTRAINTS 


(6max  + 1)],  where  n  is  the  number  of  variables  in  F2Sat  5  and  bmax  is  the  maximum  over  the  absolute 
values  of  constant  terms  in  the  constraints.  That  such  a  bounded  solution  exists  is  not  surprising, 
since  satisfiability  solving  of  G2SAT  formulas  is  in  NP.  However,  the  previously  best  known  solution 
bounds  [22,  84, 118, 160]  arc  il(n2  ■  (bmax  +  1) • 2n) .  In  particular,  our  result  eliminates  the  2n  term, 
thereby  exponentially  reducing  the  solution  bound. 

Our  result  can  be  used  to  implement  a  small-domain  encoding  based  decision  procedure  for  G2SAT 
formulas.  Such  a  procedure  checks  satisfiability  of  G2SAT  formulas  in  worst-case  time  0(2nlogd) 
where  d  —  2  •  n  •  (bmax  +  1),  by  encoding  each  integer  variable  with  log d  Boolean  variables. 
This  yields  a  more  efficient  satisfiability  checker  for  highly  over-constrained  formulas,  where  m  — 
0(n  •  log d).2  In  our  experience,  the  latter  is  often  the  case  for  theorem  proving  applications  in 
program  analysis  and  hardware  verification. 

A  key  step  in  our  proof  is  to  show  that  for  a  G2SAT  polyhedron,  if  a  feasible  integer  point  exists, 
then  one  exists  within  a  unit  hypercube  centered  at  any  minimal  face  solution  (extreme  point).  As 
a  corollary  of  this  result,  we  obtain  a  polynomial-time  algorithm  for  approximating  optima  to  an 
additive  factor  in  generalized  2SAT  integer  programs. 

Our  theoretical  results  arc  validated  by  an  experimental  evaluation  (in  Section  4.4)  on  randomly 
generated  G2SAT  formulas,  which  shows  that  a  decision  procedure  based  on  our  approach  can 
greatly  outperform  other  procedures. 


4.1  Previous  Work 

There  has  been  much  previous  work  on  integer  programming  with  two  variables  per  inequality  (see, 
e.g.,  the  work  by  Hochbaum  et  al.  [73-75]).  The  main  differences  between  this  work  (applied  to 
G2SAT  constraints)  and  ours  arc  threefold.  First,  our  focus  is  on  satisfiability  solving  of  arbitrary 
G2SAT  formulas  and  not  linear  optimization  over  G2SAT  polyhedra.  Second,  we  do  not  require 
variables  to  be  bounded.  Finally,  for  our  approximation  result,  the  objective  function  can  be  an 
arbitrary  linear  function,  without  any  restriction  on  the  sign  of  cost  coefficients. 

Previous  results  on  bounding  solutions  have  been  derived  in  the  context  of  showing  that  integer  lin¬ 
eal-  programming  is  in  NP  [22,  84, 1 18, 160].  Even  when  specialized  for  G2SAT  integer  programs, 
these  bounds  are  f l(n2  ■  (bmax  +  1)  •  2n).  Our  result  is  therefore  an  exponential  reduction  in  the  so¬ 
lution  bound  for  G2SAT  integer  programs,  and,  to  the  best  of  our  knowledge,  has  not  been  obtained 
before. 

Our  results  rely  on  the  modified  version  of  Fourier-Motzkin  elimination  for  checking  integer  feasi- 

2For  a  conjunction  of  G2SAT  constraints,  m  is  0(n2),  since  one  can  eliminate  redundant  constraints.  However,  for 
an  arbitrary  Boolean  combination,  this  is  not  the  case. 
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bility  of  a  G2SAT  polyhedron;  this  algorithm  is  described  by  Subramani  [149],  and  an  incremental 
version  has  been  given  by  Harvey  and  Stuckey  [66]. 

Theorem  provers  that  can  check  G2SAT  formulas,  such  as  CVC-Lite  [48],  arc  essentially  a  combi¬ 
nation  of  a  SAT  solver  and  a  solver  for  a  system  of  linear-  constraints.  In  the  case  of  CVC-Lite,  this 
solver  is  the  Omega  test  [127],  which  for  G2SAT  constraints  is  identical  to  the  modified  Fourier- 
Motzkin  elimination  algorithm  referenced  above. 


4.2  Background 

We  state  here,  in  brief,  some  definitions  and  theorems  used  in  the  remainder  of  the  chapter.  Further 
details  can  be  found  in  standard  textbooks  on  polyhedral  theory  and  integer  linear  programming 
(e.g.,  [112,131]). 

Following  standard  linear  programming  notation,  we  denote  the  number  of  variables  by  n  and  num¬ 
ber  of  constraints  by  m.  We  assume  that  a  linear  constraint  is  specified  in  the  form  a  •  x  >  b,  where 
a  is  a  n-dimensional  integer  vector  [ai,  02,  ...  ,  an\,  x  is  a  n-dimensional  vector  of  integer- valued 
variables  [x  1 .  .7; 2 ■ . . .  ,  xn],  and  b  is  an  integer.  A  system  of  constraints  is  specified  as  A  •  x  >  b, 
where  A  is  a  rn  x  n  matrix  with  integral  entries,  bisamxl  integer  vector  [61, 62,  ■  ■  ■  ,  brn]T ,  and 
x  is  a  n  x  1  vector  of  integer-valued  variables.  We  use  6max  to  denote  the  norm  of  b;  i.e., 

&max  =  max*  \bi\. 

The  terms  feasible  and  satisfiable  are  used  interchangeably,  as  also  are  lattice  point  and  integer 
point. 

G2SAT  Formulas 

Definition  4.1  A  constraint  a  ■  x  >  b  is  said  to  be  an  absolute  constraint  if  exactly  one  of  the  a,iS  is 
non-zero,  a  pure  difference  constraint  if  exactly  two  of  the  aiS  are  non-zero  with  one  being  +1  and 
the  other  —1,  and  a  sum  constraint  if  exactly  two  of  the  aiS  are  non-zero  with  both  +1  or  both  —1. 

a  •  x  >  b  is  said  to  be  a  G2SAT  constraint  if  it  is  either  an  absolute,  a  pure  difference  or  a  sum 
constraint. 

Note  that  difference  constraints  are  either  absolute  or  pure  difference  constraints. 

A  G2SAT  formula  is  generated  by  the  following  grammar: 

F 2sat  true  |  false  |  x\  +  X2  >  b  \  x\  —  X2  >  b  \  x  >  b 

~'-^2sat  |  -^Zsat  1  A  Fgsat2  \  Fgsatl  V  Fgsat'2 
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Notice  that  a  negation  on  a  G2SAT  constraint  can  be  eliminated  by  rewriting  the  constraint.  A 
G2SAT  constraint  remains  G2SAT  under  such  rewriting.  The  only  change  is  to  the  sign  of  variable 
coefficients,  and  to  the  constant  term,  which  can  increase  in  absolute  value  by  at  most  1. 

Example  4.1  Consider  the  following  G2SAT  formula 

(-1  X\  +  X2  >  —1)  A  [x2  —  X3  >  0  V  X'4  >  l) 

The  constraint  x\  +  x-i  >  —  1  is  a  sum  constraint,  X2  —  x;$  >  0  is  a  pure  difference  constraint,  and 
X4  >  1  is  an  absolute  constraint.  The  negation  can  be  eliminated  to  obtain  an  equivalent  G2SAT 
formula 

—X\  —  X2  >  2  A  ( X2  —  X3  >  0  V  X4  >  l) 

Note  that  the  value  of  hmax  has  increased  from  1  to  2  after  eliminating  the  negation. 

Not  all  families  of  linear  constraints  arc  closed  under  eliminating  negations.  For  example,  the  class 
of  Horn-SAT  constraints,  which  comprises  all  constraints  with  at  most  one  variable  with  a  positive 
coefficient,  arc  not  closed  under  eliminating  negations. 

Definition  4.2  Given  a  G2SAT formula  F2sat,  an  enumeration  bound  is  an  integer  d  such  that  Fzsat 
is  lattice  point  feasible  if  and  only  if  it  contains  a  lattice  point  in  the  n- dimensional  hypercube 
XYl !  {—d.  4  The  interyal  {—d.  d\  is  termed  as  an  enumeration  domain. 

Polyhedral  Theory 

Definition  4.3  A  minimal  face  of  a  polyhedron  is  a  face  that  does  not  contain  any  other  face  of  the 
polyhedron.  A  point  lying  on  a  minimal  face  is  called  a  minimal  face  solution  (MFS). 

When  the  minimal  face  is  an  extreme  point  (a  vertex),  a  MFS  is  a  basic  feasible  solution. 

We  write  (A’,  b')  C  (A,  b)  to  indicate  that  the  polyhedral  system  A'  •  x  >  br  is  a  subsystem  of 
the  polyhedral  system  A  •  x  >  b.  Also,  for  a  matrix  A,  let  r(A)  denote  the  rank  of  A.  We  have  the 
following  characterization  of  a  minimal  face. 

Theorem  4.1  ([131])  Let  P  =  {x  :  A  •  x  >  b}  denote  a  polyhedron.  A  non-empty  subset  FCP 
is  a  minimal  face  of  P,  if  and  only  ifF  —  {x  :  A'  ■  x  =  b for  some  system  A!  ■  x  >  b',  where 
(A',  b')  C  (A,  b),  and  r(A\  br)  =  r(A,  b). 

Suppose  we  apply  Fourier-Motzkin  (FM)  elimination  to  project  a  variable  Xj  from  a  G2SAT  polyhe¬ 
dron  P  :  A  •  x  >  b.  Denote  the  resulting  polyhedron  by  P  :  A  •  x  >  b.  In  general,  P  is  not  G2SAT. 
This  is  because  adding  a  sum  constraint  involving  x%  and  Xj  with  a  difference  constraint  involving 
those  variables  can  result  in  a  non-G2SAT  constraint  either  of  the  form  2xt  >  b  or  —2xt  >  b. 
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However,  it  is  possible  to  modify  the  basic  FM  elimination  procedure  by  adding  a  coefficient  nor¬ 
malization  step,  so  that  the  resulting  polyhedron  remains  G2SAT,  and  moreover,  is  lattice  point 
feasible  iff  P  is.  The  modification  hinges  on  the  observation  that  the  only  non-G2SAT  constraints 
in  P  arc  of  the  form  2.x,;  >  b  or  —2.x.,  >  b.  By  dividing  both  sides  of  a  newly  created  non-G2SAT 
constraint  by  2,  and  rounding  up  the  RHS  if  it  is  an  odd  multiple  of  j,we  obtain  a  G2SAT  constraint 
with  the  same  integral  solutions  as  the  original.  In  this  way,  we  replace  each  non-G2SAT  constraint 
in  P  with  a  corresponding  G2SAT  constraint  to  obtain  a  G2SAT  polyhedron  P'  :  A'  ■  x'  >  b'. 

We  will  refer  to  the  modified  FM  elimination  procedure  as  Fourier-Motzkin  elimination  with  coef¬ 
ficient  normalization  (FM-CN).  It  is  easy  to  see  that  FM-CN  preserves  integral  solutions,  i.e.,  P  is 
lattice  point  feasible  iff  P'  is.  One  can  use  FM-CN  to  check  the  feasibility  of  G2SAT  polyhedra  in 
time  0(n 3),  by  successively  eliminating  variables,  checking  at  each  step  that  we  do  not  generate  a 
trivially  false  constraint.  At  any  step,  we  arc  guaranteed  to  have  a  system  of  no  more  than  0(n2) 
constraints,  since  there  arc  only  4  •  (”)  possible  non-redundant  G2SAT  constraints  on  n  variables. 


4.3  Theoretical  Results 

Our  theoretical  results  are  organized  as  follows.  We  begin,  in  Section  4.3.1,  by  showing  that  if  a 
G2SAT  polyhedron  has  a  minimal  face  solution  (MFS),  then  there  exists  a  MFS  with  each  com¬ 
ponent  half-integral  and  in  [— n  •  6max.  n  •  6max].  The  main  theorem,  presented  in  Section  4.3.3, 
enables  us  to  go  from  bounding  a  MFS  to  bounding  integer  solutions.  This  theorem  states  that  if  a 
G2SAT  polyhedron  is  integer  feasible,  then  it  is  possible  to  find  a  integral  solution  within  a  unit  box 
centered  at  any  MFS;  i.e.,  by  “rounding”  a  MFS.  In  this  section,  we  also  describe  how  to  extend 
results  for  G2SAT  polyhedra  to  arbitrary  G2SAT  formulas.  Section  4.3.2  presents  auxiliary  results 
on  rounding  that  are  used  to  prove  the  main  theorem.  Finally,  in  Section  4.3.4,  we  show  that  the 
main  theorem  can  be  used  to  obtain  an  additive  approximation  result  for  optimizing  an  arbitrary 
lineal-  constraint  over  a  G2SAT  polyhedron. 

4.3.1  Minimal  Face  Solutions  of  G2SAT  Polyhedra 

We  begin  with  a  useful  lemma. 

Lemma  4.1  Let  P  :  A  ■  x  >  b  represent  a  system  of  m  pure  difference  constraints  on  n  variables. 
Then.  P  has  a  feasible  integer  solution  if  and  only  if  it  has  an  integer  solution  in  the  hypercube 
rnil[°;  («-  !)  -&max]- 


Proof:  Follows  from  Theorem  3.1.  □ 
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The  following  lemma  considers  bounding  a  MFS  of  a  G2SAT  polyhedron  in  the  non-negative  or- 
thant. 

Lemma  4.2  Let  P  :  A  ■  x  >  b,  x  >  0  denote  an  arbitrary  G2SAT  polyhedron  in  the  non-negative 
orthant  with  m  constraints  and  n  variables.  Then ,  if  a  MFS  exists,  then  there  is  a  MFS  with  each 
component  half-integral  and  at  most  n  •  &max. 

Proof:  Suppose  polyhedron  P  has  a  minimal  face  solution.  Hochbaum  et  al.  [75]  have  shown  that 
this  MFS  must  be  half-integral.  We  focus  here  on  showing  the  n  •  6max  bound. 

By  definition,  the  minimal  face  corresponding  to  this  MFS  satisfies  a  system  A'  ■  x  =  b\  where 
(. A '  b')  C  [A  b),  and  r{A')  —  r(A)  —  k  for  some  1  <  k  <  n  (assuming,  w.l.o.g.,  that  m  < 
n).  Accordingly,  there  arc  k  independent  variables  and  n  —  k  dependent  variables  in  the  system; 
without  loss  of  generality,  we  assume  that  the  first  k  variables  arc  independent  and  set  the  dependent 
variables  to  0.  This  results  in  a  system  Pi  :  A"  •  x"  =  b",  x"  >  0,  where  the  components  of  b" 
are  also  components  of  b,  and  x"  =  [sq,  X2,  -  ■  ■  ,  Xh]T ■ 

The  system  Pi  contains  3  types  of  constraints  (equations),  viz.,  absolute,  pure  difference,  and  sum. 
We  consider  each  of  these  types  in  turn: 

1.  An  absolute  constraint  is  of  the  form  x%  —  b.  Since  x"  >  0,  the  value  of  xt  must  be  in 

[0j  ^max]  • 

2.  A  sum  constraint  can  be  written  in  the  form  xt  +  xj  —  b,  where  b  >  0.  Since  x"  >  0,  it 
follows  that  0  <  Xi,Xj  <  b  <  bmax. 

3.  From  the  two  cases  above,  we  conclude  that  the  value  of  any  variable  appealing  in  an  absolute 
or  sum  constraint  must  lie  in  [0, 6max]  (and  moreover,  there  exists  such  a  half-integral  value). 

W.l.o.g,  let  x'i,  X‘2  ■ . . .  .  xi ,  l  <  k,  be  variables  appealing  in  the  absolute  and  sum  constraints, 
and  let  x\.xl2, ...  :  x^  be  the  corresponding  half-integral  values  in  [0, 6max]  satisfying  these 
constraints.  Substituting  these  values  into  the  pure  difference  constraints  might  create  new 
absolute  constraints,  but  no  new  pure  difference  or  sum  constraints.  The  constant  term  in  new 
absolute  constraints  generated  thus  is  half-integral  and  of  absolute  value  at  most  2 bmax.  The 
substitution  process  can  be  iterated  at  most  k  —  1  times  leading  to  absolute  constraints  with 
half-integral  constant  terms  at  most  k  ■  bmax.  Thus,  a  variable  appealing  in  any  of  the  absolute 
constraints  generated  in  this  iterative  process  takes  half-integral  values  in  [0,  k  •  hmax] . 

When  the  above  iterative  substitution  process  terminates,  the  only  constraints  possibly  left 
arc  some  of  the  original  pure  difference  constraints,  each  with  an  integral  constant  term  of 
absolute  value  at  most  &max.  Since  these  constraints  arc  satisfiable,  we  can  apply  Lemma  4.1 
to  conclude  that  there  exists  a  solution  to  these  constraints  with  each  variable  taking  integral 
values  in  [0,  (A:  —  1)  ■  6max]  (since  at  most  k  variables  appeal-  in  these  constraints). 
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Since  k  <  n,  we  conclude  that  there  exists  a  solution  to  Pi  with  each  component  at  most  n  ■  6max. 
□ 

We  now  generalize  the  result  to  an  arbitrary  G2SAT  polyhedron. 

Theorem  4.2  Let  P  :  A  ■  x  >  b  denote  an  arbitrary  G2SAT polyhedron  with  m  constraints  and  n 
variables.  If  a  MFS  exists,  there  exists  a  MFS  with  each  component  half-integral  and  in  the  interval 
[  n  •  bm ax,  n  •  &max]. 

Proof:  Suppose  x*  is  a  MFS  of  P.  Let  Ji ,  J2 ,  -  -  -  Ok  be  the  set  of  all  column  indices,  1  < 
ji,j 2,  ■■■  Ok  <  n,  such  that  x*.  <  0  for  all  l,  1  <  l  <  k.  Construct  a  matrix  A'  by  multiply¬ 
ing  the  jit h  column  of  A  by  —1  for  all  l,  leaving  other  columns  unchanged.  We  observe  that: 

1.  The  polyhedron  P'  :  A'  •  x  >  b,  x  >  0  is  also  G2SAT. 

2.  If  we  construct  x'*  from  x*  by  negating  x*.  for  all  l,  1  <  l  <  k ,  x'*  satisfies  P'.  Moreover,  we 
argue  that  it  is  a  MFS  of  P'  as  follows: 

Let  (A,  b)  C  (A,  b)  be  the  constraints  satisfied  with  equality  at  x*,  and  (A',b')  C  (A',b')  be 
the  constraints  satisfied  with  equality  at  x'*.  Then,  r(A)  =  r(A'),  since  A  and  A'  correspond  to 
the  same  rows  (of  A  and  A'  respectively).  Also,  note  that  r(A)  =  r(A').  Finally,  since  (A,b) 
define  a  minimal  face  of  P,  r(A)  =  r(A)  [131]. 

Thus,  r(A')  =  r(A'),  and  so  x'*  is  a  MFS  of  P'. 

Using  an  identical  argument,  we  conclude  that,  from  a  MFS  of  P',  we  can  construct  a  MFS  of  P  by 
negating  values  to  x j1 ,  xj2 , . . .  ,  xJk . 

Since  P'  has  a  MFS,  by  Lemma  (4.2)  it  must  have  a  MFS  with  each  component  half-integral  and  in 
[0,  n  •  6max].  It  follows  that  P  has  a  MFS  with  each  component  half-integral  and  in  [— n  •  hinax.  n  • 
bmax]  ■  G 

Remark  4.1  Note  that  the  enumeration  bound  stated  in  Theorem  4.2  is  tight. 

First,  notice  that  if  hmax  =  0,  then  the  origin  is  a  MFS,  and  the  bound  is  tight. 

Even  if  6max  >  0,  the  enumeration  domain  is  still  tight  in  that  one  of  its  end  points  can  be  attained. 
For  example,  suppose  that  the  system  of  constraints  comprises  the  following  n  equalities: 

3-1  —  hmax 

Xi  Xi—\  —  2  O  i  O  Tl  1 

xn  T  xn— i  —  &max 

It  is  easy  to  see  that  the  solution  set  spans  the  interval  [— n  •  6inax,  (n  —  1)  •  &max]-  G 
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4.3.2  Rounding  and  Semi-Rounding 

Definition  4.4  A  rational  number  x  is  said  to  be  odd  half-integral  if  it  is  an  odd  multiple  of  tj. 

Definition  4.5  A  vector  z  is  said  to  be  a  rounding  of  a  vector  x  ifz  is  integral  and  1 1  z  —  x  1 1  i0C  <  4. 

Definition  4.6  A  vector  z  is  said  to  be  a  semi-rounding  of  a  vector  x  if  all  of  the  following  conditions 
hold:  (1)  \\z  —  xHoo  <  (2)  all  components  of  z  are  half-integral;  and  (3)  if  a  component  ofx.  is 

integral,  so  is  the  corresponding  component  of  z. 

Lemma  4.3  Let  a  •  x  >  b  be  a  G2SAT  constraint.  Let  x*  be  a  half-integral  vector  such  that 
a  •  x*  >6,  and  let  w*  be  an  arbitrary  semi-rounding  of  x * .  Then,  a  •  w*  >  b. 

Proof:  The  proof  proceeds  by  case  splitting  on  the  number  of  variables  in  the  constraint. 

1.  Suppose  the  constraint  involves  only  one  variable.  Then,  it  is  either  of  the  form  x%  >  b  or 
— X;  >  b.  Correspondingly,  we  either  have  x*  >  b  or  —x*  >  b.  Since  x*  is  half-integral,  in 
both  cases  the  LHS  exceeds  b  by  at  least  Thus,  any  semi-rounding  w*  of  x*  satisfies  the 
constraint. 

2.  Suppose  the  constraint  has  two  variables,  x%  and  Xj.  Then,  since  x*  and  x*  arc  both  half¬ 
integral,  one  of  the  following  two  cases  must  hold: 

(a)  The  LHS  is  integral,  and  exceeds  b  by  at  least  1.  But  any  semi-rounding  of  x*  and  x* 
can  decrease  the  LHS  by  at  most  1,  and  hence  satisfies  the  constraint. 

(b)  The  LHS  is  odd  half-integral,  i.e.,  one  of  x*  and  x*  is  integral  and  the  other  odd  half¬ 
integral.  Thus,  the  LHS  exceeds  b  by  at  least  In  this  case,  any  semi -rounding  of  x* 
and  x*  can  decrease  the  LHS  by  at  most  and  will  satisfy  the  constraint. 

□  Since  every  rounding  z  of  x*  is  also  a  semi-rounding  of  x*,  we  obtain  the  following  corollary: 

Corollary  4.1  Let  a  •  x  >  b  be  a  G2SAT  constraint.  Let  x*  be  a  half-integral  vector  such  that 
a  •  x*  >  b,  and  let  z  be  an  arbitrary  rounding  ofx* .  Then,  a  •  z  >  b. 

We  now  state  a  useful  property  of  Fourier-Motzkin  elimination  with  coefficient  normalization. 

Proposition  4.1  Let P  :  A-x  >  b  denote  a  G2SAT polyhedron  in  Mn+ 1  and x*  =  (yjf.x^. . . .  ,  x*n+1 
denote  a  half-integral  feasible  solution  to  P.  Further,  suppose  that  P  is  lattice  point  feasible. 

Let  P;  :  A'  ■  x7  >  br  be  obtained  from  P  by  projecting  out  variable  j;n+  [  using  Fourier-Motzkin 
elimination  with  coefficient  normalization  and  denote  (xfx^,  •  •  •  ,  x * )  by  x/:.  Then,  there  exists  a 
semi-rounding  w'*  ofx'*  such  that  wr*  is  a  solution  to  Pr. 
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Proof:  First,  note  that  since  P  is  lattice  point  feasible,  so  is  P'. 

If  x'*  is  already  a  solution  to  P'  then  the  theorem  holds  trivially. 

So  suppose  that  x'*  does  not  satisfy  P'.  The  only  reason  this  occurs  is  because  x'*  is  cut  off  by 
coefficient  normalization,  i.e.,  due  to  the  presence  of  one  or  both  of  the  following  situations: 


1 .  There  exists  at  least  one  variable  xt.  i  E  I.  such  that  P  has  constraints  of  the  form: 


.r )  T  b% 

Xi  +  xn+i  >  b\ 

which  result  in  the  following  constraint  in  P': 


where,  bi  +  b\  is  odd. 

Since  x'*  does  not  satisfy  P',  the  following  equality  also  holds: 


(4.1) 

(4.2) 


(4.3) 


(4.4) 


2.  There  exists  at  least  one  variable  Xj ,  j  G  J,  such  that  P  has  constraints  of  the  form: 


Xj  T  Xn-\-\  ^  bj 
-Xj  -  xn+i  >  b'j 


which  result  in  the  following  constraint  in  P 

Xj  < 


/. 


~bj 


where,  bj  +  b'j  is  odd. 

Since  x'*  does  not  satisfy  P',  the  following  equality  also  holds: 


(4.5) 

(4.6) 


(4.7) 


(4.8) 


Note  that  for  some  i  E  I,  and  j  E  J,  if  i  —  j,  then  we  must  have  bl^b>  —  bj [  bi .  But  that  would 
mean  that  P'  is  infeasible,  since  constraints  (4.3)  and  (4.7)  would  contradict  each  other.  Hence,  we 
can  assume  hereafter  that  the  two  index  sets  I  and  J  are  disjoint. 

We  now  give  a  rounding  algorithm  that  generates  a  semi-rounding  w'*  of  x'*  that  satisfies  P'.  The 
rounding  algorithm  is  as  follows: 
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1.  Initialize  the  set  of  variables  to  be  rounded  up,  U ,  to  be  {xyji  £  I}.  Similarly,  initialize  the 
set  of  variables  to  be  rounded  down,  V  as  {xj\j  £  J}. 

2.  U0  :=IA,V0  :=  £>,  t  :=  0. 

3.  Compute  lAt+i  and  Vt+i  as  follows.  For  every  x%  £  lit  and  Xj  £  Vt, 

(a)  Include  in  Ut+i  any  variable  xk  such  that  the  following  constraints  in  P\  which  are 
valid  for  P,  hold  with  equality  at  x'* : 

Xk  ~  Xi  >  bki  (4.9) 

Xj  +  xk  >  bjk  (4.10) 

(b)  Include  in  Vt+i  any  variable  xk  such  that  the  following  constraints  in  Pr,  which  arc 
valid  for  P,  hold  with  equality  at  x'* : 

-xk~x  i  >  b'ki  (4.11) 

Xj-x  k  >  b'jk  (4.12) 


4.  If  Ut+i  C  U  and  T>t+i  C  V ,  stop. 

Otherwise,  perform  the  assignments  U  \—U  U  lit+\,  V  V  U  "P/+1,  t  t  +  1,  and  go  to 
step  (3). 

It  is  easy  to  prove  by  induction  on  t,  that  for  any  xk  £  IA,  k  (jl  I,  there  either  exists  %  £  I  and  an 
integer  bk/l  such  that 

x*k  -  x*  =  bkl  (4.13) 

or  a  j  £  J  and  an  integer  bjk  such  that 

x*  +  x*k  =  bjk  (4.14) 

Similarly,  for  each  xk  £  D-  k  (]L  ./,  there  either  exists  i  £  I  and  an  integer  b'ki  such  that 

-x*k  x*  =  b'kl  (4.15) 

or  a  j  £  J  and  an  integer  such  that 

x*j-x*h  =  Vjk  (4.16) 

Suppose  the  two  sets  U  and  V  are  disjoint.  Then,  to  obtain  a  semi-rounding  w'*  of  \  we  round 
up  every  variable  in  U  and  round  down  every  variable  in  V. 

To  complete  the  proof,  the  following  two  sub-goals  remain  to  be  established: 
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1.  unv  =  0. 

2.  w'*  satisfies  P'. 

Assuming  the  first  sub-goal,  consider  the  second  sub-goal  first.  We  observe  that: 

•  By  Lemma  4.3,  any  constraints  in  P'  that  arc  not  satisfied  with  equality  at  xr*  will  continue 
to  be  satisfied  by  w'*. 

•  From  Equations  (4. 13)— (4. 16),  we  note  that  for  all  Xk  E  U  U  V.  x*k  is  odd  half-integral,  since 
it  is  an  integral  offset  from  x*  or  x*  for  some  i  E  I  or  j  E  J . 

Thus,  for  all  Xk  E  U  U  V.  there  cannot  be  any  absolute  constraint  involving  xp-  in  P'  that 
holds  with  equality  at  x '*.  Thus,  by  Lemma  4.3,  the  semi-rounding  produced  by  the  above 
algorithm  satisfies  these  absolute  constraints. 

•  Steps  3(a)  and  3(b)  of  the  rounding  algorithm  ensure  that  all  two-variable  constraints  of  P' 
satisfied  with  equality  at  x'*  continue  to  be  satisfied  by  the  generated  semi-rounding.  For 
example,  if  Xk  —  Xi  >  bki  is  satisfied  with  equality  at  x'*,  and  x*  is  rounded  up,  so  is  x*k,  so 
the  constraint  continues  to  be  satisfied. 

Thus,  if  the  two  sets  U  and  V  arc  disjoint,  we  can  conclude  that  w'*  satisfies  P'.  We  will  now  show 
that  the  former  is  indeed  the  case. 

The  proof  is  by  contradiction.  Suppose  U  FI  V  ^  0.  Let  Xk  be  a  variable  present  in  both  sets.  As  we 

noted  before,  for  any  i  E  I  and  j  E  J,  i  yt  j,  so  we  can  assume  that  k  is  neither  in  I  nor  in  J .  We 

have  the  following  cases,  each  of  which  leads  to  a  contradiction: 

1.  Equations  (4.13)  and  (4.16)  hold.  Then,  for  some  integer  bji,  we  have 

x*j  —  x*  —  bji  (4.17) 

The  above  equation  corresponds  to  the  following  inequality  derived  by  adding  Inequali¬ 
ties  (4.9)  and  (4.12),  which  is  valid  for  both  P  and  P': 

Xj  —  Xi>bji  (4.18) 

Further,  from  Equation  (4.17)  and  Inequalities  (4.1),  (4.2),  (4.5),  and  (4.6),  we  can  conclude 
that 


-bji  —  x*  -  x*  >  bi  +  bj 
-bji  =  x*  -  x*  >  b'i  +  b'j 


(4.19) 

(4.20) 
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Also  from  Equations  (4.4)  and  (4.8),  we  know  that 


&Hc  * 

ji  =  -  Xj  - 


i>i  +  bj  +  b'~  +  b'- 


(4.21) 


From  (4.19),  (4.20),  and  (4.21)  above,  we  infer  that  bj  +  bj  —  b[  +  h[t  —  —bp. 


Thus,  the  inequalities  in  (4.19)  and  (4.20)  hold  with  equality.  Also,  from  Inequalities  (4.1) 
and  (4.5),  aq  —  Xj  >  bj  +  bj  is  valid  for  P.  Thus,  we  can  conclude  that  Inequality  (4.18)  holds 
with  equality  for  P.  This  further  implies  that  Inequalities  (4.1),  (4.2),  (4.5),  and  (4.6)  hold 
with  equality  for  P. 


Since  there  is  a  unique  solution  to  Constraints  (4.1),  (4.2),  (4.5),  (4.6)  and  (4.18)  that  satisfies 
them  with  equality,  in  every  feasible  solution  of  P,  x\  —  x* ,  xj  —  x*,  and  xn+ 1  =  x*n+l . 
Since  at  least  one  of  x*  and  x*  is  odd  half-integral,  this  contradicts  the  premise  that  P  has  a 
lattice  point  solution. 


2.  Equations  (4.14)  and  (4.15)  hold.  This  case  is  identical  to  Case  (1)  above. 

3.  Equations  (4.14)  and  (4.16)  hold.  Then,  we  have 


X A  — 


bjk  +  b'jk 


(4.22) 


This  implies  that  bjk+/jk  - 

Further,  Equation  (4.22)  coiTesponds  to  the  following  valid  cut  for  P'  (i.e.,  it  preserves  lattice 
point  solutions),  obtained  by  adding  (4.10)  and  (4.12): 


Xj  > 


+  b'jk 


(4.23) 


However,  Constraints  (4.7)  and  (4.23)  contradict  each  other,  implying  that  P'  is  not  lattice 
point  feasible,  which  contradicts  the  theorem's  premise. 


4.  Equations  (4.13)  and  (4.15)  hold.  This  case  is  identical  to  Case  (3)  above. 


Thus,  U  fl  V  —  0  and  we  obtain  a  semi-rounding  wr*  of  xr*  as  required.  This  completes  the  proof. 

□ 


4.3.3  Main  Theorems 

We  now  arrive  at  the  key  result  of  this  chapter. 

Theorem  4.3  Let  P  :  A  ■  x  >  b  denote  a  G2SAT polyhedron  and  x*  denote  a  half-integral  MFS. 
If  P  is  lattice  point  feasible,  then  it  contains  a  lattice  point  z  such  that  ||z  —  x*^  <  i.e.,  z  is  a 

rounding  ofx* . 
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Proof:  We  prove  the  theorem  by  induction  on  the  length  of  x. 

Base  Case:  Let  x  =  x  6  R.  If  a;  *  is  a  MFS,  there  exists  a  constraint  x  >  b  that  holds  with  equality 
for  x* .  Thus,  the  theorem  holds  trivially  for  z  —  x* . 

Induction  Step:  Let  us  assume  that  the  theorem  holds  for  all  vectors  x  of  length  up  to  n. 

Consider  the  case  when  x  6  Mn+ 1 .  Since  P  has  a  MFS,  by  Theorem  (4.2),  it  has  one  with  half¬ 
integral  entries.  Let  x*  =  ■  ■  .  ,  x*n+l)  one  such  MFS  of  P.  If  x*  is  integral,  we  set  z  to 

x*  and  we  arc  done.  So,  let  us  assume  that  x*  has  some  odd  half-integral  entries.  Note  that  if  two 
variables  xt  and  Xj  appeal-  together  in  a  constraint  of  P  that  holds  with  equality,  either  both  x*  and 
x*  are  integral  or  both  are  odd  half-integral. 

Project  variable  xn+±  out  of  P  using  Fourier-Motzkin  elimination  with  coefficient  normalization 
(FM-CN).  Let  P'  :  A'  ■  x'  >  b'  be  the  resulting  system,  where  x'  £  1". 

Suppose  there  exists  alattice  point  solution  y  =  (yi,y2,  •  •  •  ,  yn+ 1)  of  P.  Thus,  y'  =  (y1;  1/2,  ••  •  ,  yn) 
is  a  lattice  point  solution  of  P'. 

Consider  x'*  =  (x\.  xf  ■  ■  ■  ,  x*n ) .  We  will  show  that  there  exists  a  rounding  z'  =  (z±,  Z2,  •  •  •  ,  zn) 
of  x'*  which  satisfies  P'.  We  consider  the  following  three  cases: 

Case  1:  x'*  is  in  the  interior  of  P',  i.e.,  none  of  the  constraints  in  A'  ■  x'  >  b'  hold  with  equality.  By 
Corollary  4.1,  any  rounding  of  x'*  yields  a  lattice  point  solution  z'  of  P'. 

Case  2:  Suppose  that  x'*  is  a  solution  of  P'  that  satisfies  some  constraints  with  equality.  Suppose  that 
for  some  (A",  b")  C  {A' .  br).  A"  •  x'*  =  b",  and  the  remaining  constraints  are  strict,  i.e., 
not  satisfied  with  equality.  Since  x'*  is  a  MFS  of  A"  •  xr  >  b",  by  the  induction  hypothesis, 
we  can  conclude  that  there  exists  a  lattice  point  rounding  z'  of  x'*,  such  that  z!  is  a  solution 
of  A"  •  xr  >  b".  Since,  by  Corollary  4.1,  any  rounding  of  xr*  satisfies  the  strict  constraints, 
z'  is  also  a  lattice  point  solution  of  P'. 

Case  3:  It  is  possible  that  after  coefficient  normalization,  x'*  does  not  satisfy  P'.  By  Proposition  4.1, 
there  exists  a  semi-rounding  w'*  of  x'*  that  satisfies  P'.  Thus,  either  Case  (1)  or  Case  (2) 
applies  with  x'*  replaced  by  w'*,  and  we  can  obtain  a  rounding  z'  of  w'*  that  is  a  lattice  point 
solution  of  P'.  Finally,  note  that  a  rounding  of  w'*  is  also  a  rounding  of  x'*,  since  integral 
components  of  x'*  are  preserved  in  w'*.  This  completes  Case  (3). 

Thus,  we  can  obtain  a  lattice  point  solution  z'  of  P'  that  is  a  rounding  of  x'*. 

Since  P  is  G2SAT,  and  P'  is  obtained  from  P  using  FM-CN,  a  lattice  point  solution  of  P'  can  be 
extended  to  one  of  P.  Thus,  there  exists  an  integral  zn+ 1  such  that  z  =  {z\,Z2,  •  •  •  ,  zni  zn+ 1)  is  a 
solution  of  P. 
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To  complete  the  proof,  we  show  that  there  exists  such  an  integral  zn+\  that  is  moreover  a  rounding 
of  x*n+l.  Since  x*  is  a  MFS  of  P,  there  exists  a  subset  of  constraints  (A,  b)  of  (A.  b)  that  hold 
with  equality  at  x*.  The  value  of  xn+  j  is  constrained  only  by  the  values  of  other  variables  x}  such 
that  there  exists  an  equation  in  Ax.  —  b  in  which  xn+\  and  Xj  appeal-  together.  Let  J  be  the  index 
set  of  all  such  variables  Xj.  We  now  show  that  there  exists  a  rounding  zn+\  of  x*  +  l  that  satisfies 
Pi  :  Ax  >  b.  There  are  two  cases: 

1.  If  x*n+1  is  integral,  so  is  x*  for  all  j  G  J.  Thus,  zn+\  —  x*n+l  satisfies  Pi,  and  we  are  done. 

2.  If  x*n+l  is  odd  half-integral,  so  is  x*  for  all  j  G  J.  In  this  case,  we  claim  that  there  exists  a 
consistent  way  to  round  x*n+1,  either  up  or  down,  so  that  the  result  satisfies  Pi.  Suppose  not, 
i.e.,  there  exists  constraints  that  force  x*n+l  to  be  rounded  up  as  well  as  down.  There  are  four 
instances  in  which  this  might  occur: 

(a)  There  exist  constraints  xn+\  —  Xi  >  b  and  xj  —  xn+i  >  b'  in  P  that  hold  with  equality 

at  x*;  furthermore,  Zj  —  \x*\  and  Zi  —  \xf\.  Thus,  we  have  x*  —  x*  —  b  +  b' ,  but 

Zj  —  Zi  <  b  +  b' .  Since  Xj  —  xt  >  b  +  b'  is  a  valid  inequality  for  P,  this  means  that  z 
does  not  lie  in  P,  a  contradiction. 

(b)  There  exist  constraints  —  xn+\  —  Xi  >  b  and  xj  +  xn+\  >  b'  in  P  that  hold  with  equality 
at  x*;  furthermore,  zj  —  [x*\  and  z,  =  [ x* ] .  This  case  is  identical  to  Case  (2a)  above. 

(c)  There  exist  constraints  xj  —  xn+\  >  b  and  Xj  +  xn+i  >  V  in  P  that  hold  with  equality 

at  x*,  with  Zj  —  [x*\ .  Thus,  2x*  —  b  +  b'.  Since,  x*  is  odd  half-integral,  b  +  b'  must 

be  an  odd  integer.  Moreover,  2 Zj  <  b  4  I/.  However,  since  2 Xj  >  b  +  b'  is  a  valid 
inequality  for  P,  this  means  that  z  does  not  lie  in  P,  a  contradiction. 

(d)  There  exist  constraints  xn+i  —  Xi>b  and  —xn+\  —  xt  >  1/  in  P  that  hold  with  equality 
at  x*,  with  Zi  —  [ x* ] .  This  case  is  identical  to  Case  (2c)  above. 

Thus,  there  exists  a  consistent  way  to  round  x*n+l  either  up  or  down  and  satisfy  every  con¬ 
straint  in  Pi.  Let  zn+ 1  be  this  rounding. 

Applying  Corollary  4.1,  any  rounding  of  x*  satisfies  the  constraints  in  (A,  b)  \  (A,  b). 

Thus,  we  can  obtain  a  rounding  z  of  x*  that  is  a  lattice  point  solution  of  P. 

□ 

From  Theorem  (4.2)  and  Theorem  (4.3),  we  can  conclude  the  following  theorem. 

Theorem  4.4  Let  P  :  A  •  x  >  b  denote  a  G2SAT  polyhedron  with  m  constraints  and  n  variables. 
Then.  P  has  enumeration  bound  n  ■  6max- 


The  above  result  is  easily  generalized  for  arbitrary  G2SAT  formulas. 
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Theorem  4.5  Let  F2sat  denote  a  G2SAT  formula  with  m  constraints,  n  variables,  and  let  blnax 
be  the  maximum  over  the  absolute  values  of  constant  terms  appearing  in  FgSat-  Then,  Fgsat  has 
enumeration  bound  n  ■  (&max  +  1). 

Proof:  If  FgSat  has  a  satisfying  integer  solution,  that  solution  must  satisfy  one  of  the  terms  in  the 
disjunctive  normal  form  (DNF)  of  Fgsat-  Each  term  in  the  DNF  representation  of  Fgsat  is  a  G2SAT 
polyhedron  in  which  the  constant  term  in  any  constraint  has  absolute  value  at  most  6max  +  1  (we 
use  6max  +  1  in  place  of  6max  to  account  for  eliminating  negations  on  constraints).  It  follows  that 
there  is  a  solution  to  F2sat  in  [~n  •  (6max  +  1),  n  ■  (6max  +  1)].  □ 

4.3.4  Approximation  Results  for  Optimization 

Consider  the  problem  of  optimizing  an  arbitrary  linear  function  over  a  G2SAT  polyhedron  P.  This 
problem  is  NP-hard  (minimum  vertex  cover  is  a  special  case).  As  a  corollary  of  Theorem  (4.3), 
we  obtain  the  following  theorem  showing  that  one  can  approximate  the  optimal  value  to  within  an 
additive  factor. 

Theorem  4.6  Let  P  =  {x  :  A  •  x  >  b}  denote  a  G2SAT  polyhedron  that  contains  a  lattice  point. 
Let  the  integer  linear  program  be  max{c  •  x  :  x  £  P}. 

If  the  optimum  value  is  finite,  solving  the  LP -relaxation  and  rounding  the  solution  can  yield  a  fea- 

V“_  \Cj\ 

sible  lattice  point  that  approximates  the  optimum  to  within  an  additive  factor  of  ± — ^ — — .  If  the 
LP -relaxation  is  unbounded,  so  is  the  integer  program. 

Proof:  If  the  optimum  value  v*  of  the  LP-relaxation  is  finite,  it  is  attained  at  a  MFS  x*.  Since 

P  is  lattice  point  feasible,  by  Theorem  4.3,  there  exists  a  lattice  point  z  in  P  such  that  such  that 

yy}—  \c-\ 

||z  —  x^loo  <  i.  It  follows  that  c  •  z  is  within  ± — Afi — —  of  v* ,  and  hence  of  the  integer  optimum. 

If  the  FP-relaxation  is  unbounded,  so  must  the  integer  program,  since  P  is  lattice  point  feasi¬ 
ble  [112],  □ 

Moreover,  an  approximate  solution  can  be  obtained  in  polynomial  time  in  the  following  three 
steps: 

1.  Check  whether  P  is  lattice  point  feasible  using  Fourier-Motzkin  elimination  with  coefficient  nor¬ 
malization.  If  P  is  lattice  point  infeasible,  stop. 

2.  If  P  is  lattice  point  feasible,  solve  its  FP-relaxation.  If  it  is  unbounded,  we  conclude  that  the 

original  IP  is  also  unbounded.  Otherwise,  the  optimum  is  attained  at  a  MFS  x*. 

V”_  led 

3.  Round  x*  to  obtain  an  integer  solution  that  is  within  ±  — ^ — L  Qf  the  optimum.  The  rounding 
is  performed  as  follows.  For  each  variable  x,  that  has  an  odd  half-integral  value  x*.  we  check 
whether  adding  the  constraint  Xi  —  |~ x* ]  to  P  preserves  lattice  point  feasibility.  If  not,  we  set  xt 
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to  \_xf\  and  iterate,  picking  another  variable  to  round,  until  we  have  obtained  a  feasible  integer 
solution. 

It  is  easy  to  see  that  each  step  can  be  performed  in  polynomial  time.  Notice  that  if  lattice  point 
feasibility  is  preserved  by  setting  xt  either  to  [x*]  or  to  [x* J ,  the  direction  of  rounding  can  be 
chosen  heuristically  to  obtain  a  tighter  approximation. 

Our  approximation  theorem  is  general,  in  that  it  applies  to  any  generalized  2SAT  integer  program, 
including  non  0-1  programs  with  arbitrary  coefficients  in  the  objective  function.  However,  the 
approximation  factor  is  additive,  and  the  result  is  more  likely  to  be  useful  for  non  0-1  programs. 
In  contrast,  the  results  of  Hochbaum  et  al.  [75]  guarantee  a  2-approximation  for  G2SAT  integer 
programs  expressed  as  a  minimization  problem  where  the  objective  function  is  required  to  have 
non-negative  coefficients. 


4.4  Experimental  Evaluation 

We  now  present  experimental  results  demonstrating  that  a  decision  procedure  based  on  the  solution 
bound  derived  herein  can  outperform  other  state-of-the-art  procedures. 

4.4.1  Implementation 

We  implemented  a  decision  procedure  that  operates  in  three  steps.  First,  given  a  G2SAT  formula 
Fgsat,  it  computes  the  enumeration  bound  n  ■  (bmax  +  1).  Second,  it  translates  the  input  G2SAT 
formula  to  a  Boolean  formula  by  replacing  each  integer  variable  by  a  finite -precision,  signed  bit- 
vector  that  can  take  any  value  in  the  range  [— n- (bmax  + 1),  n-(bmax  + 1)].  Arithmetic  and  relational 
operators  are  then  encoded  as  arithmetic  circuits  and  comparators.  Let  F/,00/  denote  the  resulting 
Boolean  formula.  Clearly,  Ff,00[  is  satisfiable  if  and  only  if  F2Sat  is  satisfiable.  Thus,  the  final  step 
consists  of  invoking  a  Boolean  satisfiability  (SAT)  solver  on  F),00/.  Notice  that  the  translation  to 
SAT  takes  polynomial  time  and  that  the  size  of  FiX)0[  is  polynomial  in  that  of  Fgsat- 

The  main  reason  for  using  a  translation  to  SAT,  as  opposed  to  a  non-SAT-based  procedure,  is  that 
our  benchmarks  possess  a  non-trivial  Boolean  structure.  Also,  by  this  approach,  we  can  leverage 
the  recent  advances  in  SAT  solving  (e.g.,  [63, 104]).  For  our  experiments,  we  employed  the  zChaff 
satisfiability  solver  [104];  however,  any  other  SAT  solver  can  be  employed  instead  just  as  easily. 

4.4.2  Setup 

A  set  of  randomly  generated  G2SAT  formulas  was  used  for  the  experimental  evaluation.  A  G2SAT 
formula  can  be  viewed  as  a  Boolean  circuit  where  the  inputs  to  the  circuit  arc  G2SAT  constraints 
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rather  than  being  Boolean  variables.  Each  formula  was  generated  based  on  3  parameters:  the  maxi¬ 
mum  number  of  variables,  an  upper  bound  on  the  size  of  the  constant  term,  and  the  maximum  depth 
of  the  circuit.  We  varied  the  maximum  number  of  variables  over  the  set  {40, 80, 160,  320,  640},  the 
constant  term  upper  bound  over  the  set  {16, 256, 4096, 65536, 1048576},  and  the  maximum  circuit 
depth  over  {6,  7, 8, 9, 10}.  For  each  choice  of  these  three  parameters,  we  generated  a  formula  using 
one  of  three  different  random  seeds;  the  seed  was  used  in  generating,  at  each  level  in  the  circuit, 
either  a  randomly  chosen  Boolean  operator  or  a  G2SAT  constraint.  The  variables  and  constant  term 
in  each  G2SAT  constraint  were  randomly  generated  as  well.  Finally,  the  resulting  G2SAT  formula 
was  conjoined  with  a  set  of  upper  and  lower  bound  constraints  on  each  variable,  where  the  bounds 
were  randomly  selected  to  be  between  0  and  the  upper  bound  on  the  constant  term.  This  last  opera¬ 
tion  was  performed  in  order  to  generate  a  mix  of  both  satisfiable  and  unsatisfiable  formulas.  Thus, 
in  total,  the  benchmark  suite  comprises  375  formulas,  of  which  202  arc  unsatisfiable. 

We  compared  our  procedure  against  two  other  decision  procedures.  Both  arc  based  on  a  combination 
of  a  SAT  solver  with  a  solver  for  a  system  of  integer  linear  constraints.  The  first  is  a  publicly  avail¬ 
able  theorem  prover  called  CVC-Fite  [48]  (the  version  available  as  of  December  2004).  CVC-Fite 
uses  a  SAT  solver  for  finding  Boolean  assignments  to  the  formula,  treating  G2SAT  constraints  as 
Boolean  literals.  For  every  such  assignment,  it  decides  the  feasibility  of  the  corresponding  conjunc¬ 
tion  of  G2SAT  constraints  by  using  the  FM-CN  procedure  (it  actually  uses  the  Omega  test  [127], 
which  specializes  to  FM-CN  for  G2SAT  constraints).  Details  about  CVC-Fite’s  operation  can  be 
found  in  the  papers  by  Barrett  et  al.  and  Ganesh  et  al.  [13,  17].  The  SAT  solver  used  by  CVC-Fite 
is  a  modified  version  of  the  zChaff  solver  used  by  our  procedure.  The  second  decision  procedure, 
written  by  Daniel  Kroening  (currently  at  ETH  Zurich),  works  on  similar  principles  to  CVC-Fite, 
except  that  it  uses  the  CPFEX  commercial  optimization  software  [46]  (version  9.0)  instead  of  the 
FM-CN  procedure.  This  procedure  also  uses  the  zChaff  solver  as  its  SAT  solving  engine. 

Experiments  were  run  on  a  Finux  workstation  with  a  2  GHz  Pentium  4  processor  and  1  GB  of  RAM. 
Our  decision  procedure,  called  UCFID,  is  written  mostly  in  Moscow  ME,  a  dialect  of  Standard  ME. 
A  timeout  of  600  seconds  was  imposed  on  each  run. 

4.4.3  Comparison 

Figures  4.1  and  4.2  compare  UCFID’s  total  time  (time  for  both  encoding  and  SAT  solving)  to  that 
taken  by  CVC-Fite  and  the  CPFEX-based  solver  respectively.  In  each  plot,  the  y-coordinate  of  a 
point  is  the  time  taken  by  UCFID,  and  the  x-coordinate  is  the  time  taken  by  the  decision  procedure 
we  compare  it  against.  UCFID's  total  time  is  dominated  by  the  SAT  solving  time.  Note  that  the 
X  and  Y  axes  are  on  different  scales.  This  is  because  UCFID  finishes  within  30  seconds  on  all 
benchmarks  whereas  the  run-times  for  the  other  solvers  arc  spread  out  over  the  entire  range  [0,  600] . 
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Figure  4.1:  Experimental  comparison  of  UCLID  versus  CVC-Lite  for  G2SAT  formulas.  Note 
that  the  scale  on  the  Y-axis  is  about  20  times  that  of  the  X-axis. 


Figure  4.2:  Experimental  comparison  of  UCLID  versus  CPLEX-based  solver  for  G2SAT  for¬ 
mulas.  Note  that  the  scale  on  the  Y-axis  is  about  20  times  that  of  the  X-axis. 

First,  consider  the  comparison  with  CVC-Lite.  We  observe  from  Figure  4. 1  that  CVC-Lite  performs 
worse  than  UCLID  overall,  timing  out  on  95  of  the  375  benchmarks.  However,  note  that  there  arc 
171  benchmarks  on  which  CVC-Lite  outperforms  UCLID.  UCLID  completes  within  15  seconds  on 
all  of  these  benchmarks,  and  within  5  seconds  on  all  but  22  of  them. 

The  comparison  with  the  CPLEX-based  solver  yields  similar-  results,  as  one  can  observe  in  Fig- 
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ure  4.2.  In  fact,  the  CPLEX-based  solver  even  performs  worse  than  CVC-Lite,  timing  out  on  246  of 
the  375  benchmarks.  UCLID  is  outperformed  on  only  16  benchmarks,  on  all  of  which  it  terminates 
within  7  seconds. 

We  further  analyzed  our  results  by  dividing  the  benchmarks  into  4  categories,  with  each  category 
comprising  benchmarks  on  which  UCLID's  time  falls  within  a  certain  range.  For  each  category,  we 
computed  the  percentage  of  benchmarks  on  which  UCLID  outperforms  the  other  two  solvers.  This 
data  is  displayed  in  Table  4.1.  We  note  that  the  benchmarks  on  which  UCLID  is  outperformed  arc 
those  on  which  both  it  and  the  competing  solver  finish  within  a  few  seconds.  Note  also  that  UCLID 
finishes  within  5  seconds  on  over  80%  of  the  benchmarks. 


UCLID  time  range 

Number  of 

%  of  benchmarks  on  which  UCLID  runs  faster 

(time  in  seconds) 

benchmarks 

CVC-Lite  prover 

CPLEX-based  solver 

[0,  5] 

315 

52.38 

95.24 

(5,  10] 

42 

54.76 

97.62 

(10,  20] 

15 

80.00 

100.00 

(20,  30) 

3 

100.00 

100.00 

Table  4.1:  Comparing  UCLID  with  other  solvers  using  a  time-wise  break-up  of  benchmarks. 

The  second  column  indicates  the  number  of  benchmarks  on  which  UCLID's  run-time  is  within  the 
indicated  range. 


Thus,  one  can  conclude  that  the  enumerative  approach  presented  herein  can  greatly  outperform  a 
more  traditional  approach  based  on  combining  a  SAT  solver  with  a  constraint  solver.  The  main 
reason  for  this  seems  to  be  that  solvers  based  on  the  latter  approach  enumerate  several  SAT  assign¬ 
ments  that,  while  satisfying  the  Boolean  skeleton  of  the  formula,  correspond  to  infeasible  systems 
of  G2SAT  constraints.  On  the  other  hand,  UCLID's  encoding  adds  in  all  the  “G2SAT  information” 
necessary  for  the  SAT  solver  to  significantly  prune  its  search  space. 


4.5  Summary 

We  have  proposed  a  new  approach  to  deciding  the  satisfiability  of  Boolean  combinations  of  gener¬ 
alized  2SAT  constraints.  The  central  insight  is  that  it  is  sufficient  to  search  for  bounded  solutions, 
where  each  variable  is  restricted  within  the  finite  range  [— n  •  (5max  +  1),  n  •  (6max  +  1)].  The  solu¬ 
tion  bound  we  derive  improves  over  previous  results  by  an  exponential  factor.  The  key  step  in  our 
derivation  is  a  novel  result  for  G2SAT  polyhedra  on  finding  integer  solutions  by  rounding  minimal 
face  solutions.  Experiments  demonstrate  the  efficacy  of  a  SAT-based  decision  procedure  based  on 
our  theoretical  results. 


Chapter  5 


Quantifier-Free  Presburger  Arithmetic 


Presburger  arithmetic  [125]  is  defined  as  the  first-order  theory  of  the  structure  (N,  0, 1,  ^,  +),  where 
N  denotes  the  set  of  natural  numbers.  The  satisfiability  problem  for  Presburger  arithmetic  is  decid¬ 
able,  but  of  super-exponential  worst-case  complexity  [54].  Fortunately,  for  many  applications,  such 
as  in  program  analysis  (e.g.,  [127])  and  hardware  verification  (e.g.,  [26]),  the  quantifier-free  frag¬ 
ment  suffices.  We  arc  concerned,  in  this  chapter,  with  the  satisfiability  problem  for  this  fragment. 

A  formula  Fqjp  in  quantifier-free  Presburger  arithmetic  (QFP)  is  constructed  by  combining  linear 
constraints  with  Boolean  operators  (A,  V,  -i).  Formally,  the  i'h  constraint  is  of  the  form 

n 

y!  ai,jxj  —  hi 

3= 1 

where  the  coefficients  and  the  constant  terms  arc  integer  constants  and  the  variables  x  \  ■  ■  ■  ,xn 

arc  integer- valued1 .  An  integer  linear  program  is  a  conjunction  of  linear  constraints,  and  hence  is  a 
special  kind  of  QFP  formula. 

The  satisfiability  problem  for  QFP  is  NP-complete.  The  NP-hardness  follows  from  a  straightforward 
encoding  of  the  3SAT  problem  as  a  0-1  integer  linear  program.  That  it  is  moreover  in  NP  can  be 
concluded  from  the  result  that  integer  linear  programming  is  in  NP  [22,  84, 1 18, 160]. 

Thus,  if  there  is  a  satisfying  solution  to  a  QFP  formula,  there  is  one  whose  size,  measured  in  bits, 
is  polynomially  bounded  in  the  problem  size.  Problem  size  is  traditionally  measured  in  terms  of 
the  parameters  to,  n,  log  amax,  and  log&max.  Recall  that  to  is  the  total  number  of  constraints  in 
the  formula,  n  is  the  number  of  variables,  and  amax  =  max^j)  \ai,j\  and  6max  =  max,  j b,  j  arc  the 
maximums  of  the  absolute  values  of  coefficients  and  constant  terms  respectively. 

'While  Presburger  arithmetic  is  defined  over  N,  we  interpret  the  variables  over  Z  as  it  is  general  and  more  suitable  for 
applications.  It  is  straightforward  to  translate  a  formula  with  integer  variables  to  one  where  variables  are  interpreted  over 
N,  and  vice-versa,  by  adding  (linearly  many)  additional  variables  or  constraints. 
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Project 

Maximum  Fraction  of 

Maximum  Width  of  a 

Non-Difference  Constraints 

Non-Difference  Constraint 

Blast 

0.0255 

6 

Magic 

0.0032 

2 

MIT 

0.0087 

3 

WiSA 

0.0091 

4 

Table  5.1:  Linear  arithmetic  constraints  in  software  verification  are  mostly  difference  con¬ 
straints.  For  each  software  verification  project,  the  maximum  fraction  of  non-difference  constraints 
is  shown,  as  well  as  the  maximum  width  of  a  non-difference  constraint,  where  the  maximum  is  taken 
over  all  formulas  in  the  set.  The  Blast  formulas  were  generated  from  device  drivers  written  in  C,  the 
Magic  formulas  from  an  implementation  of  opens  si  written  in  C,  the  MIT  formulas  from  Java 
programs,  and  the  WiSA  formulas  were  generated  in  the  checking  of  format  string  vulnerabilities. 

The  above  result  implies  that  we  can  use  a  small-domain  (SD)  encoding  approach  to  checking  the 
satisfiability  of  a  QFP  formula  Fqjp .  To  recapitulate,  we  first  compute  the  polynomial  bound  S  on 
solution  size,  and  then  search  for  a  satisfying  solution  to  Fqjp  in  the  bounded  space  {0, 1, . . .  ,2s  — 
l}n.  However,  a  naive  implementation  of  a  SD-based  decision  procedure  fails  for  QFP  formulas 
encountered  in  practice.  The  problem  is  that  the  bound  on  solution  size,  S,  is  (9  (log  to  +  log  frmax  + 
to  [log  to  +  logamax]).  In  particular,  the  presence  of  the  to  log  m  term  means  that,  for  practical 
problems  involving  hundreds  of  linear  constraints,  the  Boolean  formulas  generated  arc  likely  to  be 
too  large  to  be  decided  by  present-day  SAT  solvers. 

In  this  chapter,  we  explore  the  small-domain  encoding  approach  to  deciding  QFP  formulas,  but  with 
a  focus  on  formulas  generated  in  software  verification.  It  has  been  observed,  by  us  and  others,  that 
formulas  from  this  domain  have: 

1.  Mainly  Difference  Constraints:  Of  the  to  constraints,  to  —  k  are  difference  constraints,  where 
k  <C  to. 

2.  Sparse  Structure:  The  k  non-difference  constraints  arc  sparse,  with  at  most  w  variables  per 
constraint,  where  w  is  “small”.  We  will  refer  to  w  as  the  width  of  the  constraint. 

Pratt  [124]  observed  that  most  inequalities  generated  in  program  verification  arc  difference  con¬ 
straints.  More  recently,  the  authors  of  the  theorem  prover  Simplify  observed  in  the  context  of  the 
Extended  Static  Checker  for  Java  (ESC/Java)  project  that  “the  inequalities  that  occur  in  program 
checking  rarely  involve  more  than  two  or  three  terms”  [53],  We  have  performed  a  study  of  formulas 
generated  in  various  recent  software  verification  projects:  the  Blast  project  at  Berkeley  [69],  the 
Magic  project  at  CMU  [36],  the  Wisconsin  Safety  Analyzer  (WiSA)  project  [164],  and  the  software 
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upgrade  checking  project  at  MIT  [97],  The  results  of  this  study,  indicated  in  Table  5.1,  support 
the  afore-mentioned  observations  regarding  the  “sparse,  mostly  difference”  nature  of  constraints  in 
QFP  formulas.  To  our  knowledge,  no  previous  decision  procedure  for  QFP  has  attempted  to  exploit 
this  problem  structure. 

The  following  novel  contributions  arc  made  in  this  chapter: 

•  We  derive  bounds  on  solutions  for  QFP  formulas,  not  only  in  terms  of  the  traditional  param¬ 
eters  to,  n,  amax ,  and  6max,  but  also  in  terms  of  k  and  w.  In  particular-,  we  show  that  the 
worst-case  number  of  bits  required  per  integer  variable  is  linear  in  k,  but  only  logarithmic  in 
w.  Unlike  previously  derived  bounds,  ours  is  not  in  terms  of  the  total  number  of  constraints 

TO. 


•  We  use  the  derived  bounds  in  a  sound  and  complete  decision  procedure  for  QFP  based  on 
small-domain  encoding,  and  present  empirical  evidence  that  our  method  can  greatly  outper¬ 
form  other  decision  procedures. 

The  rest  of  this  chapter  is  organized  as  follows.  We  begin  with  a  discussion  of  related  work  (Sec¬ 
tion  5.1)  and  some  background  material  (Section  5.2).  Our  main  theoretical  results  on  computing 
solution  bounds  are  presented  in  Section  5.3.  Techniques  for  improving  the  bound  in  practice  are 
discussed  in  Section  5.4.  An  experimental  evaluation  is  presented  in  Section  5.5,  followed  by  a 
discussion  in  Section  5.6. 


5.1  Related  Work 

There  has  been  much  work  on  deciding  quantifier-free  Presburger  arithmetic;  we  present  a  brief 
discussion  here  and  refer  the  reader  to  a  recent  survey  [59]  for  more  details.  Recent  techniques  fall 
into  four  categories. 

Enumerating  DNF  terms 

The  first  class  comprises  procedures  targeted  towards  solving  conjunctions  of  constraints,  with  dis¬ 
junctions  handled  by  enumerating  terms  in  a  disjunctive  normal  form  (DNF).  Examples  include  the 
Omega  test  [127]  (which  is  an  extension  of  Fourier-Motzkin  elimination  for  integers)  and  solvers 
based  on  other  integer  linear  programming  techniques.  The  drawback  of  these  methods  is  the  need 
to  enumerate  the  potentially  exponentially  many  terms  in  the  DNF  representation.  Our  work  is 
targeted  towards  solving  formulas  with  a  complicated  Boolean  structure,  which  often  arise  in  veri¬ 
fication  applications. 


50 


CHAPTER  5.  QUANTIFIER-FREE  PRESB URGER  ARITHMETIC 


Lazy  translation  to  SAT 

The  second  set  of  methods  attempt  to  remedy  the  above  problem  by  instead  relying  on  modern  SAT 
solving  strategies.  The  approach  works  as  follows.  A  Boolean  abstraction  of  the  QFP  formula  Fq/p 
is  generated  by  replacing  each  linear  constraint  with  a  corresponding  Boolean  variable.  If  the  ab¬ 
straction  is  unsatisfiable,  then  so  is  Fqjp .  If  not,  the  satisfying  assignment  (model)  is  checked  for 
consistency  with  the  theory  of  quantifier-free  Presburger  arithmetic,  using  a  ground  decision  pro¬ 
cedure  for  conjunctions  of  linear  constraints  (a  procedure  for  checking  feasibility  of  integer  linear 
programs).  Assignments  that  arc  inconsistent  arc  excluded  from  later  consideration  by  adding  a 
“lemma”  to  the  Boolean  abstraction.  The  process  continues  until  either  a  consistent  assignment 
is  found,  or  all  (exponentially  many)  assignments  have  been  explored.  Examples  of  decision  pro¬ 
cedures  in  this  class  that  have  some  support  for  QFP  include  CVC  [13, 17]  and  ICS  [51].  (The 
general  idea  for  combining  a  SAT  solver  with  a  linear  programming  engine  originates  in  a  paper  by 
Wolfman  and  Weld  [165].)  The  ground  decision  procedures  used  by  provers  in  this  class  employ 
a  combination  framework  such  as  the  Nelson-Oppen  architecture  for  cooperating  decision  proce¬ 
dures  [109]  or  a  Shostak-like  combination  method  [139, 141].  These  methods  are  only  defined  for 
combining  disjoint  theories.  In  order  to  exploit  the  mostly-difference  structure  of  a  formula,  one 
approach  could  be  to  combine  a  decision  procedure  for  a  theory  of  difference  constraints  with  one 
for  a  theory  of  non-difference  constraints,  but  this  needs  an  extension  of  the  combination  methods 
that  applies  to  these  non-disjoint  theories. 

Eager  translation  to  SAT 

Strichman  [146]  presents  SAT-based  decision  procedures  for  linear  arithmetic  (over  the  rationals) 
and  QFP.  The  translation  to  SAT  is  a  generalization  of  Direct  encoding  for  arbitrary  linear  con¬ 
straints.  For  QFP,  the  basic  idea  is  to  create  a  Boolean  encoding  of  all  the  possible  variable  projection 
steps  performed  by  the  Omega  test.  Since  Fourier-Motzkin  elimination  (and  therefore,  the  Omega 
test)  has  worst-case  double-exponential  complexity  in  both  time  and  space  [37],  this  approach  leads 
to  a  SAT  problem  that,  in  the  worst-case,  is  doubly-exponential  in  the  size  of  the  original  formula 
and  takes  doubly-exponential  time  to  generate. 

Our  approach  also  falls  in  this  category.  However,  in  contrast  to  Strichman’s  translation,  our  encod¬ 
ing  algorithm  generates  SAT  problems  that  arc  polynomial  in  the  size  of  the  original  formulas,  and 
runs  in  polynomial  time. 
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Automata  theory-based  methods 

The  final  class  of  methods  arc  based  on  finite  automata  theory  (e.g.,  [59, 166]).  The  basic  idea  is  to 
construct  a  finite  automaton  corresponding  to  the  input  QFP  formula  Fqjp ,  such  that  language  ac¬ 
cepted  by  the  automaton  consists  of  the  binary  encodings  of  satisfying  solutions  of  Fqjp .  According 
to  a  recent  experimental  evaluation  with  other  methods  [59],  these  techniques  arc  better  than  others 
at  solving  formulas  with  very  large  coefficients,  but  do  not  scale  well  with  the  number  of  variables 
and  constraints. 

Note  that  automata-based  techniques  can  handle  full  Presburger  arithmetic,  not  just  the  quantifier- 
free  fragment. 

Unique  features  of  our  approach 

The  approach  we  present  in  this  chapter  is  distinct  from  the  categories  mentioned  above.  In  partic¬ 
ular,  the  following  unique  features  differentiate  it  from  previous  methods: 

•  It  is  the  first  small-domain  encoding  method  and  the  first  tractable  procedure  for  translating 
a  QFP  formula  to  SAT  in  a  single  step.  The  clear  separation  between  the  translation  and  the 
SAT  solving  allows  us  to  leverage  future  advances  in  SAT  solving  far  more  easily  than  other 
SAT-based  procedures. 

•  It  is  the  first  technique,  to  the  best  of  our  knowledge,  that  formally  exploits  the  structure  of 
formulas  commonly  encountered  in  software  verification. 

In  addition  to  the  above,  the  bounds  we  derive  in  this  chapter  arc  also  of  independent  theoretical  in¬ 
terest.  For  instance,  they  indicate  that  the  solution  bound  is  independent  of  the  number  of  difference 
constraints. 


5.2  Background 

We  define  useful  notation  and  state  the  previous  results  on  bounding  satisfying  solutions  of  ILPs. 

5.2.1  Preliminaries 


Consider  a  system  of  m  linear-  constraints  in  n  integer-valued  variables: 
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Here  A  is  an  m  x  n  matrix  with  integral  entries,  b  is  a  to  x  1  vector  of  integral  entries,  and  x  is  a 
nxl  vector  of  integer-valued  variables.  A  satisfying  solution  to  system  (5.1)  is  an  evaluation  of  x 
that  satisfies  (5.1). 

As  outlined  in  Section  2.1,  the  variables  can  be  constrained  to  be  non-negative  by  adding  a  zero 
variable  xq,  replacing  each  original  variable  xt  by  x\  —  xq,  and  then  adjusting  the  coefficients  in  the 
matrix  A  to  get  a  new  constraint  matrix  A'  and  the  following  system:2 


A'x!  >  b 
x'  >  0 


(5.2) 


Here  the  system  has  n’  —  n  +  1  variables,  and  x'  =  [x\ .x'2- ...  ,  x'n ,  xf\T .  A!  has  the  structure  that 
a\  ■  —  a,ij  for  j  —  1, 2, . . .  ,  n  and  a\  n+1  —  —  ai,j-  Note  that  the  last  column  of  A'  is  a  linear 
combination  of  the  previous  n  columns.  Proposition  2.1  shows  that  system  (5.1)  has  a  solution  if 
and  only  if  system  (5.2)  has  one. 


Finally,  adding  surplus  variables  to  the  system,  we  can  rewrite  system  (5.2)  as  follows: 

A"x"  =  b 
x"  >  0 


(5.3) 


where  A"  —  [A\  —  Im]  is  an  to  x  (n'  +  m)  integer  matrix  formed  by  concatenating  A  with  the 
negation  of  the  to  x  to  identity  matrix  Im. 

For  convenience  we  will  drop  the  primes,  referring  to  A"  and  x"  simply  as  A  and  x.  Rewriting 
system  (5.3)  thus,  we  get 


Ax  =  b 
x  >  0 

Remark  5.1  A  solution  to  system  (5.4)  also  satisfies  system  (5.2). 


(5.4) 


We  formally  define  the  terms  solution  bound  and  enumeration  bound  for  QFP  formulas. 

Definition  5.1  Given  a  QFP  formula  Fqjp ,  a  solution  bound  is  an  integer  d  such  that  Fqfp  has  an 
integer  solution  if  and  only  if  it  has  an  integer  solution  in  the  n-dimensional  hypercube  j  [0.  d]. 

Definition  5.2  Given  a  QFP  formula  Fqfp,  an  enumeration  bound  is  an  integer  d  such  that  Fqfp 
has  an  integer  solution  if  and  only  if  it  has  an  integer  solution  in  the  n-dimensional  hypercube 
Util-d,  d\-  Fie  interval  [—d.  d]  is  termed  as  an  enumeration  domain. 

2Note  that  this  procedure  can  increase  the  width  of  a  constraint  by  1.  The  statistics  in  Table  5.1  shows  the  width  before 
this  procedure  is  applied,  computed  from  constraints  as  they  appear  in  the  original  formulas. 
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The  following  proposition  is  easily  obtained. 

Proposition  5.1  A  solution  bound  d  >  0  for  system  (5.2)  is  an  enumeration  bound  for  system  (5.1). 


Proof:  Given  a  solution  x'*  to  system  (5.2),  we  construct  a  solution  x*  to  system  (5.1)  by  setting 
x*  —  x'*  —  Xq.  Since  each  x’*  and  xf  are  in  [0,  d\,  x*  E  {—d.  d]  for  all  j.  □ 

Similarly,  if  d  is  an  enumeration  bound  for  system  (5.1),  then  2d  is  a  solution  bound  for  system  (5.2). 

5.2.2  Previous  Results 

The  bounds  for  QFP  follow  directly  from  those  for  integer  linear  programs.  In  particular,  the  results 
of  this  chapter  build  on  a  result  obtained  by  Borosh,  Treybig,  and  Flahive  [21, 22]  on  bounding  the 
solution  of  systems  of  the  form  (5.4).  We  state  their  result  in  the  following  theorem: 

Theorem  5.1  Consider  the  augmented  matrix  [/I  |  b]  of  dimension  m  X  (n'  +  m  +  1).  Let  A  be  the 
maximum  of  the  absolute  values  of  all  minors  of  this  augmented  matrix.  Then,  the  system  (5.4)  has 
a  satisfying  solution  if  and  only  if  it  has  one  with  all  entries  bounded  by  ( n  +  2)  A. 

Note  that  the  determinant  of  a  matrix  can  be  more  than  exponential  in  the  dimension  of  the  ma¬ 
trix  [25].  In  the  case  of  the  Borosh-Flahive-Treybig  result,  it  means  that  A  can  be  as  large  as 
/fm(m+2m(m+1)/2 .  where  p  =  rnax(amax,  &max)- 

Papadimitriou  [118, 120]  also  gives  abound  of  similar  size,  stated  in  the  following  theorem: 

Theorem  5.2  If  the  ILP  of  (5.4)  has  a  satisfying  solution,  then  it  has  a  satisfying  solution  where  all 
entries  in  the  solution  vector  are  bounded  by  (n'  +  m)(l  +  &max)(^flmax)2m+3 

Papadimitriou’s  bound  implies  that  we  need  (9  (log  m  +  logfrmax  +  mflog  m  +  logamax])  bits  to 
encode  each  variable  (assuming  n'  —  0(m)).  The  Borosh-Flahive-Treybig  bound  implies  needing 
(9(m[logm  +  log  ji\ )  bits  per  variable,  which  is  of  the  same  order. 


5.3  Main  Theoretical  Results 


We  begin  in  Section  5.3.1  by  deriving  bounds  for  ILPs  for  the  case  of  k  —  0,  when  all  constraints 
arc  difference  constraints.  Then,  in  Section  5.3.2,  we  compute  a  bound  for  ILPs  for  arbitrary  k. 
Finally,  in  Section  5.3.3,  we  show  how  our  results  extend  to  arbitrary  QFP  formulas. 
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5.3.1  Bounds  for  a  System  of  Difference  Constraints 

Let  us  first  consider  computing  solution  bounds  for  an  ILP  for  the  case  where  k  —  0,  i.e.,  sys¬ 
tem  (5.4)  comprises  only  of  difference  constraints. 

In  this  case,  the  left-hand  side  of  each  equation  comprises  exactly  three  variables:  two  variables  x  t 
and  Xj  where  0  <  i.j  <  n  and  one  surplus  variable  xi  where  n  +  l<l<n  +  m.  The  t'h  equation 
in  the  system  is  of  the  form  xt  —  xj  —  xi  —  bt- 

As  we  noted  in  Section  5.2.1,  the  matrix  A  can  be  written  as  [Aa \  —  Im\  where  A0  comprises  the 
first  n'  —  n  +  1  columns,  and  Im  is  the  to  x  to  identity  matrix. 

The  important  property  of  A0  is  that  each  row  has  exactly  one  +1  entry  and  exactly  one  —1  en¬ 
try,  with  all  other  entries  0.  Thus,  A^  can  be  interpreted  as  the  node-arc  incidence  matrix  of  a 
directed  graph.  Therefore,  A^  is  totally  unimodular  (TUM),  i.e.,  every  square  submatrix  of  A'0  has 
determinant  in  {0,  —1,  +1}  [120],  Therefore,  A0  is  TUM,  and  so  is  A  —  [Aa\  —  Im\. 

Now,  let  us  consider  using  the  Borosh-Flahive-Treybig  bound  stated  in  Theorem  5.1.  This  bound  is 
stated  in  terms  of  the  minors  of  the  matrix  [A|b],  For  the  special  case  of  this  section,  we  have  the 
following  bound  on  the  size  of  any  minor: 

Theorem  5.3  The  absolute  value  of  any  minor  of  [A  \  b]  is  bounded  above  by  sbm ax,  where  s  — 
min(n  +  1,  m). 

Proof: 

Consider  any  minor  M  of  [vl|b].  Let  r  be  the  order  of  M. 

If  the  minor  is  obtained  by  deleting  the  last  column  (corresponding  to  b),  then  it  is  a  minor  of  A ,  and 
its  value  is  in  {0,  —1,  +1}  since  A  is  TUM.  Thus,  the  bound  of  s  bmax  is  attained  for  any  non-trivial 
minor  with  s  >  1  and  6max  >  1. 

Suppose  the  b  column  is  not  deleted. 

First,  note  that  the  matrix  A  is  of  the  form  [A0\  —  Im\  where  the  rank  of  Aa  is  at  most  s'  — 
min(n,  to)  .  This  is  because  Aa  has  dimensions  mxn  +  1,  and  the  last  column  of  A0,  corresponding 
to  the  variable  xo,  is  a  linear  combination  of  the  previous  n  columns.  (Refer  to  the  construction  of 
system  (5.2)  from  system  (5.1).) 

Next,  suppose  the  sub-matrix  corresponding  to  M  comprises  p  columns  from  the  —  Im  paid,  r—p  —  1 
columns  from  the  A0  paid,  and  the  column  corresponding  to  b.  Since  permuting  the  rows  and 
columns  of  M  does  not  change  its  absolute  value,  we  can  permute  the  rows  of  M  and  the  columns 
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corresponding  to  the  —Im  paid  to  get  the  corresponding  sub-matrix  in  the  following  form: 


0  ... 

0 

-1 

K  ' 

0  ... 

-1 

0 

bt2 

A0 

paid  —  1  ... 

0 

0 

hp 

0  ... 

0 

0 

btp+i 

0  ... 

0 

0 

hr  . 

Expanding  M  along  the  last  column,  we  get 

\M\  =  \btlMi  -  bt2M2  +  6*3 M3  -  . . . 
where  each  M,  is  a  minor  corresponding  to  a  submatrix  of  A. 

However,  notice  that  M*  =  0  for  all  1  <  i  <  p,  since  each  of  those  minors  have  an  entire  column 
(from  the  —  Im  paid)  equal  to  0.  Therefore,  we  can  reduce  the  right-hand  side  to  the  sum  of  r  —  p 
terms: 

1-^1  <  \btp+1Mp+i\  +  \btp+2Mp+2\  +  •  •  •  \hrMr\ 

Notice  that,  so  far,  we  have  not  made  use  of  the  special  structure  of  A. 

Now,  observing  that  A  is  TUM,  j  Mt  \  <  1  for  all  i. 

\M\  <  \btp+1 1  +  |6*p+2|  +  ■  ■  ■  +  \btr  | 

For  all  i,  |6*J  <  6max.  Further,  since  each  non-zero  AIl  can  be  of  order  at  most  s',  r  —  p  <  s  — 
min(s'  +  1,  to).3  Therefore,  we  get 

\M\  <  s  6max 

□ 

Using  the  terminology  of  Theorem  5.1,  we  have  A  <  s6max.  Thus,  the  solution  bound  d  in  this 
case  is  ( n  +  2)  s6max. 

Thus,  S,  the  bound  on  the  number  of  bits  per  variable,  is 

[log(n  +  2)  +  log  s  +  log 

^max] 

Formulas  generated  from  verification  problems  tend  to  be  overconstrained,  so  we  assume  n  <  m. 
Thus,  s  —  n  +  1,  and  the  bound  reduces  to  0(log  n  +  log  6max)  bits  per  variable. 

We  close  this  section  with  the  following  two  observations  about  Theorem  5.3. 

3We  use  s'  +  1  and  not  s'  to  account  for  the  case  where  p  —  0.  The  minimum  with  m  is  taken  because  s'  +  1  can 
exceed  m  but  b  has  only  m  elements. 
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Remark  5.2  The  derived  solution  bound  is  conservative.  From  Theorem  3. 1,  we  know  that  a  tighter 
solution  bound  is  n  •  bmilx.  This  indicates  that  there  might  be  room  for  improving  the  bound  in 
Theorem  5.1. 

Remark  5.3  The  only  property  of  the  A  matrix  that  the  proof  of  Theorem  5.3  relies  on  is  the 
totally  unimodular  (TUM)  property.  Thus,  Theorem  5.3  would  also  apply  to  any  system  of  linear 
constraints  whose  coefficient  matrix  is  TUM.  Examples  of  such  matrices  include  interval  matrices, 
or  more  generally  network  matrices.  Note  that  the  TUM  property  can  be  tested  for  in  polynomial 
time  [131]. 

5.3.2  Bounds  for  a  Sparse  System  of  Mainly  Difference  Constraints 

We  now  consider  the  general  case  for  ILPs,  where  we  have  k  non-difference  constraints,  each  refer¬ 
ring  to  at  most  w  variables. 

Without  loss  of  generality,  we  can  reorder  the  rows  of  matrix  A  so  that  the  k  non-difference  con¬ 
straints  are  the  top  k  rows,  and  the  difference  constraints  arc  the  bottom  m  —  k  rows.  Reordering  the 
rows  of  A  can  only  change  the  sign  of  any  minor  of  [/l|b],  not  the  absolute  value.  Thus,  the  matrix 
[H|b]  can  be  put  into  the  following  form: 


A! 

bi 

I'm 

b-2 

a2 

bm_ 

Here,  A\  is  a  k  x  n  +  1  dimensional  matrix  corresponding  to  the  non-difference  constraints,  A 2 
is  a  m  —  k  x  n  +  1  dimensional  matrix  with  the  difference  constraints,  Im  is  the  m  x  m  identity 
corresponding  to  the  surplus  variables,  and  the  last  column  is  the  vector  b. 

For  ease  of  presentation,  we  will  assume  in  the  rest  of  Sections  5.3.2  and  5.3.3  that  k  <  n  +  1.  We 
will  revisit  this  assumption  at  the  end  of  Section  5.3. 

The  matrix  composed  of  A 1  and  A 2  will  be  referred  to,  as  before,  as  A0.  Note  that  each  row  of 
A\  has  at  most  w  non-zero  entries,  and  each  row  of  A 2  has  exactly  one  +1  and  one  —1  with  the 
remaining  entries  0.  Thus,  A2  is  TUM. 

We  prove  the  following  theorem: 

Theorem  5.4  The  absolute  value  of  any  minor  of  [/l|b]  is  bounded  above  by  s  bmax  («max  w)k, 
where  s  —  min(n  +  1,  m). 


Proof: 
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Consider  any  minor  M  of  [A|b],  and  let  r  be  its  order. 

As  in  Theorem  5.3,  if  M  includes  p  columns  from  the  —Im  part  of  A,  then  we  can  infer  that 
r  —  p  <  s.  (Our  proof  of  this  property  in  Theorem  5.3  made  no  assumptions  on  the  form  of  A„.) 

If  M  includes  the  last  column  b,  then  as  in  the  proof  of  Theorem  5.3,  we  can  conclude  that 

\M\  <  (r  —  p)  bmax  [max  \Mj\]  (5.5) 

3= 1 

where  Mj  is  a  minor  of  A0. 

If  M  does  not  include  b,  then  it  is  a  minor  of  A.  Without  loss  of  generality,  we  can  assume  that  M 
does  not  include  a  column  from  the  —Im  part  of  A ,  since  such  columns  only  contribute  to  the  sign 
of  the  determinant. 

So,  let  us  consider  bounding  a  minor  Mj  of  A0  of  order  r  (or  r  —  1,  if  M  includes  the  b  column). 

Since  A0  —  ^  ,  consider  expanding  Mj,  using  the  standard  determinant  expansion  by  minors 

along  the  top  k  rows  corresponding  to  non-difference  constraints.  Each  term  in  the  expansion  is  (up 
to  a  sign)  the  product  of  at  most  k  entries  from  the  A\  portion,  one  from  each  row,  and  a  minor  from 
A2.  Since  A2  is  TUM,  each  product  term  is  bounded  in  absolute  value  by  amaxk.  Furthermore,  there 
can  be  at  most  wk  non-zero  terms  in  the  expansion,  since  each  non-zero  product  term  is  obtained 
by  choosing  one  non-zero  element  from  each  of  the  rows  of  the  A  i  portion  of  Mj ,  and  this  can  be 
done  in  at  most  wk  ways. 

Therefore,  \Mj\  is  bounded  by  (amaxw)k.  Combining  this  with  the  inequality  (5.5),  and  since 
r  —  p  <  s,  we  get 

\M\  <  s  bmax  (amax  w)k 
which  is  what  we  set  out  to  prove.  □ 

Thus,  we  conclude  that  A  <  s  bmax(amaxw)k ,  where  s  —  min(n  +  1  ,m).  From  Theorems  5.1 
and  5.4,  and  Remark  5.1,  we  obtain  the  following  theorem: 

Theorem  5.5  A  solution  bound  for  the  system  (5.2)  is 

(jt  T  2)  A  —  (n+  2)  •  s  •  bmax  •  (omax  w ) 

Thus,  the  solution  size  S  is 

[log(n  +  2)  +  log  s  +  log  bmax  +  A: (log  omax  +  log  id)] 

Remark  5.4  We  make  the  following  observations  about  the  bound  derived  above,  assuming  as 
before,  that  n  <  m,  and  so  .s  =  n  T  1 : 
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•  Dependence  on  Parameters:  We  observe  that  the  bound  is  linear  in  k,  logarithmic  in  amax,  w, 
n,  and  bmax.  In  particular,  the  bound  is  not  in  terms  of  the  total  number  of  linear  constraints, 

TO. 

•  Worst-case  Asymptotic  Growth:  In  the  worst  case,  k  —  to,  w  —  n  +  1,  and  n  —  0(m),  and 
we  get  the  (9  (log  to  +  log  bmax  +  to  [log  to  +  log  amax])  bound  of  Papadimitriou. 

•  Typical-case  Asymptotic  Growth:  As  observed  in  our  study  of  formulas  from  software  verifi¬ 
cation,  w  is  typically  a  small  constant,  so  the  number  of  bits  needed  per  variable  is  (9  (log  n  A 
log  &max  +  k  log  amax  +  k).  In  many  cases,  amax  and  k  are  also  bounded  by  a  small  constant. 
Thus,  S  is  typically  O  (log  n  +  log&max).  This  reduces  the  search  space  by  an  exponential 
factor  over  using  the  bound  expressed  in  terms  of  m. 

•  Representing  Non-difference  Constraints:  There  are  many  ways  to  represent  non-difference 
constraints  and  these  have  an  impact  on  the  bound  we  derive.  In  particular,  it  is  possible 
to  transform  a  system  of  non-difference  constraints  to  one  with  at  most  three  variables  per 
constraint.  For  example,  the  linear  constraint  x  \  +  x2  +  x'.-j  +  x.\  —  x$  can  be  rewritten  as: 

X\  +  x\  —  x5 
X2  +  x'2  —  x[ 

X3+  X4  —  X2 

For  the  original  representation,  k  —  1  and  w  =  5,  while  for  the  new  representation  k  —  3  and 
w  —  3.  Since  our  bound  is  linear  in  k  and  logarithmic  in  w,  the  original  representation  would 
yield  a  tighter  bound. 

Similarly,  one  can  eliminate  variables  with  coefficients  greater  than  1  in  absolute  value  by 
introducing  new  variables;  e.g.,  2x  is  represented  as  x  +  x'  with  an  additional  difference 
constraint  x  —  x' .  This  can  be  used  to  adjust  w,  amax,  and  n  so  that  the  overall  bound  is 
reduced. 

The  derived  bound  only  yields  benefits  in  the  case  when  the  system  has  few  non-difference  con¬ 
straints  which  themselves  are  sparse.  In  this  case,  we  can  instantiate  variables  over  a  finite  domain 
that  is  much  smaller  than  that  obtained  without  making  any  assumptions  on  the  structure  of  the 
system. 

Finally,  from  Proposition  5.1  and  Theorem  5.5,  we  obtain  an  enumeration  bound  for  system  (5.1): 

Theorem  5.6  An  enumeration  bound  for  system  (5.1)  is 

[fl  A  2)  •  S  ■  6max  •  (dmax  w) 


Note  that  the  values  of  amax  and  w  in  the  statement  of  Theorem  5.6  are  those  for  system  (5.2). 
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5.3.3  Bounds  for  Arbitrary  Quantifier-Free  Presburger  Formulas 

We  now  return  to  our  original  goal,  that  of  finding  a  solution  bound  for  an  arbitrary  QFP  formula 
Fqfp- 

Suppose  that  Fqjp  has  m  1  i near  constraints  <^>i,  . . .  ,  (f>m,  of  which  m  —  k  arc  difference  con¬ 

straints,  and  n  variables  X\.X‘2-  ■  ■  ■  ■  xn .  As  before,  we  assume  that  each  non-difference  constraint 
has  at  most  w  variables,  amax  is  the  maximum  over  the  absolute  values  of  coefficients  at.j  of  valu¬ 
ables,  and  6max  is  the  maximum  over  the  absolute  values  of  constants  bt  appealing  in  the  constraints. 
Furthermore,  let  us  assume  that  the  zero  variable  (used  in  transforming  system  5.1  to  system  5.2) 
have  already  been  introduced  into  the  constraints,  and  that  amax  and  w  have  been  computed  after 
this  introduction. 

We  prove  the  following  theorem. 

Theorem  5.7  (n  +  2)  ■  A  is  a  solution  bound  for  Fqjp  where 

A  =  s  (hmax  +  1)  (amax  w)k 


and  s  —  min(n  +  1,  to). 


Proof:  Let  a  be  an  arbitrary  satisfying  assignment  to  Fqjp .  Let  m!  constraints,  (pn .  (f>Vi ... .  ,  < fa  , , 
evaluate  to  true  under  a,  the  rest  evaluating  to  false.  Let  A'  —  [a,j]  beam'  xn  matrix  in  which 
each  row  comprises  the  coefficients  of  variables  xi,X2,  ■  ■  ■  -,xn  in  a  constraint  flk.  1  <  k  <  ml . 
Thus,  A'  —  [at.j\  where  i  G  {*i, . . .  , im'}. 

Now  consider  a  constraint  <jxlk  where  k  >  m! ,  that  evaluates  to  false  under  cr.  (p%k  is  the  inequality 

n 

aik,.ix.i  —  bik 

j|=i 

Then  cr  satisfies  which  is  the  inequality 

n 

aik,.ix.i  <  bik 

3- 1 


or  equivalently, 

n 

T,  ~aik,3x3  —  —bik  +  1 

3  = 1 

Let  A"  be  a  (m  —  ml)  x  n  matrix  corresponding  to  the  coefficients  of  variables  in  constraints 
-,<fcroi+ 1»  ■  ■  ■ ,  Thus’  A"  -  where  *  G  {w+ 1,  •  ■  ■  Am}- 

Finally,  let  b  =  [bh ,  bh: . . .  ,  bim, ,  +  1,  -bim,+2  +  1, . . .  ,  -bim  +  1]T 
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Clearly,  cr  is  a  satisfying  solution  to  the  ILP  given  by 

A' 

-  x  >  b  (5.6) 

A" 

Also,  if  the  system  (5.6)  has  a  satisfying  solution  then  Fqfp  is  satisfied  by  that  solution.  Thus,  Fqjp 
and  the  system  (5.6)  arc  equi-satisfiable,  for  every  possible  system  (5.6)  we  construct  in  the  manner 
described  above. 

By  Theorems  5.1  and  5.4,  we  can  conclude  that  if  system  (5.6)  has  a  satisfying  solution,  it  has  one 
bounded  by  (n  +  2)  A  where 

A  =  s  (6max  +  1)  (amax  w)k 

and  s  —  min(n  +  1,  to).  Moreover,  this  bound  works  for  every  possible  system  (5.6). 

Therefore,  if  Fqjp  has  a  satisfying  solution,  it  has  one  bounded  by  (n  +  2)  A.  □ 

Thus,  to  generate  the  Boolean  encoding  of  the  starting  QFP  formula,  we  must  encode  each  integer 
variable  as  a  symbolic  bit-vector  of  length  S  given  by 

S  =  [log[(n  +  2)  A]]  =  [log(n  +  2)  +  logs  +  log(bmax  +  1)  +  k{\ogamax  +  log  to)] 

Remark  5.5  If  the  zero  variable  is  not  introduced  into  the  formula  Fqjp ,  we  can  search  for  solutions 
in  niLJ-M,  where  d  —  (n  +  2) A.  As  noted  earlier,  values  of  amax  and  w  used  in  computing  A 
arc  those  obtained  after  introducing  the  zero  variable. 

Remark  5.6  In  Section  5.3.2,  we  assumed,  for  ease  of  presentation,  that  k  <  n  +  1.  If  this  does 
not  hold,  we  can  simply  replace  k  in  the  results  of  Sections  5.3.2  and  5.3.3  by  min(A:,  n  +  1).  This 
is  because  the  dimension  of  the  minor  Mj  of  A„  (mentioned  in  the  proof  of  Theorem  5.4)  is  limited 
by  n  +  1. 

Remark  5.7  Let  us  specialize  the  derived  solution  bound  for  G2SAT  formulas.  Since,  w  <  2, 
dmax  =  1,  the  bound  specializes  to  (n  4  2)  .s  (&max  +  1)  2k.  This  indicates  that  the  derived  bound  is 
conservative. 

Summary  of  notation 

We  conclude  this  section  by  summarizing  the  symbols  used  to  represent  formula  parameters  and  the 
quantities  derived  therefrom.  For  easy  reference,  they  arc  listed  in  Table  5.2. 
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Symbol 

Meaning 

n 

Number  of  variables 

m 

Number  of  constraints 

^max 

Maximum  constant  term 

^max 

Maximum  variable  coefficient 

k 

Number  of  non-difference  constraints 

w 

Maximum  number  of  non-zero  coefficients  in  any  constraint 

s 

min(n  +  1,  m) 

A 

S  •  {bjnax  T  1)  -  (dmax®)*’ 

d 

Solution  bound,  (n  +  2)  A 

S 

Solution  size,  ["  log(d  +  1)  ] 

Table  5.2:  Parameters  and  derived  quantities 

5.4  Improvements 

The  bounds  we  derived  in  the  preceding  section  arc  conservative.  For  a  particular  problem  instance, 
the  size  of  minors  can  be  far  smaller  than  the  bound  we  computed.  However,  this  cannot  be  di¬ 
rectly  exploited  by  enumerating  minors,  since  the  number  of  minors  grows  exponentially  with  the 
dimensions  of  the  constraint  matrix.  Also,  there  is  a  special  case  under  which  one  can  improve  the 
(n  +  2)  A  bound.  If  all  the  constraints  arc  originally  linear  equalities  and  the  system  of  constraints 
has  full  rank,  a  bound  of  A  suffices  [20].  However,  in  our  experience,  even  if  the  linear  constraints 
arc  all  equalities,  they  still  tend  to  be  linearly  dependent.  Thus,  we  have  not  been  able  to  make  use 
of  this  special  case  result. 

Fortunately,  there  arc  other  techniques  for  improving  the  solution  bound  that  we  have  found  to  be 
fairly  useful  in  practice.  These  include  theoretical  improvements  as  well  as  heuristics  that  arc  useful 
in  practice.  We  describe  these  methods  in  this  section. 

5.4.1  Variable  Classes 

Recall  the  notion  of  a  variable  class  introduced  in  Section  2.2.  The  variables  and  constraints  in  a 
QFP  formula  can  usually  be  partitioned  into  several  classes.  Parameters  n,  k,  6max,  amax,  and  w  can 
be  separately  computed  for  each  variable  class,  resulting  in  a  separately  computed  solution  bound 
for  each  class. 

The  correctness  of  this  optimization  follows  from  a  reduction  to  ILP  as  performed  in  the  proof  of 
Theorem  5.7,  and  the  observation  that  a  satisfying  solution  to  a  system  of  ILPs,  no  two  of  which 
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share  a  variable,  can  be  obtained  by  solving  them  independently  and  concatenating  the  solutions. 

Moreover,  if  all  the  constraints  in  a  variable  class  arc  difference  constraints  (or  G2SAT  constraints), 
one  can  use  the  tighter  solution  bounds  derived  in  Chapters  3  and  4. 

5.4.2  Large  Coefficients  and  Widths 

In  the  expression  for  S,  the  term  involving  amax  (and  w)  is  multiplied  by  a  factor  of  k.  Thus,  any 
increase  in  logamax  gets  amplified  by  a  factor  of  k.  It  is  therefore  useful  to  more  carefully  model 
the  dependence  of  S  on  coefficients.  We  present  two  techniques  to  alleviate  the  problem  of  dealing 
with  large  coefficients.  These  techniques  also  apply  to  dealing  with  large  constraint  widths. 

An  -fold  reduction 

The  coefficient  of  the  zero  variable  xq  has,  so  far,  been  used  in  computing  amax.  We  will  now  show 
that  we  can  ignore  this  coefficient,  and  also  ignore  any  contribution  of  xq  to  the  width  w.  This 
optimization  can  result  in  a  reduction  of  up  to  a  factor  of  nk  in  the  solution  bound  d. 

The  largest  reduction  occurs  when,  in  the  original  formula,  we  have  a  constraint  of  the  form  atXj  > 
bi,  where  a*  is  the  largest  coefficient  in  absolute  value.  After  adding  the  zero  variable,  this  constraint 
is  transformed  to  QTL  atx:i)  —  (n  •  a,)xo  >  bi.  Thus,  amax  now  equals  n  ■  a,,  a  factor  of  n  times 
greater  than  in  the  original  formula. 

Let  us  revisit  the  transformation  performed  in  Section  5.2.1  to  convert  system  (5.1)  to  system  (5.2). 

A  different,  commonly-used  transformation  to  non-negative  variables  is  to  write  each  Xj  as  xl  —  xj , 
where  xj~,  xj  >  0  for  all  j.  Let  the  resulting  system  be  referred  to  as  system  (5.2’).  Let  us  assume 
that  this  different  transformation  is  used  in  place  of  the  original  one  that  generates  system  (5.2), 
leaving  all  successive  transformations  the  same. 

Now,  consider  the  form  of  the  matrix  [A|b],  as  used  in  Section  5.3.2,  reproduced  below: 


A! 

bi 

Im 

b-2 

A2 

_ 

bm_ 

With  the  new  transformation  method,  A  j  is  a  k  x  2n  dimensional  matrix  corresponding  to  the  non¬ 
difference  constraints,  A 2  is  a  (m  —  k)  x  2 n  dimensional  matrix  with  the  difference  constraints,  Im 
is  the  m  x  m  identity  corresponding  to  the  surplus  variables,  and  the  last  column  is  the  vector  b. 

Importantly,  note  that  A2  is  still  totally  unimodular  and  the  ranks  of  A  \  and  A2  are  the  same  as  they 
were  with  the  use  of  the  single  zero  variable  x0.  This  is  because  any  non-singular  sub-matrix  of  A0 
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must  include  exactly  one  of  the  columns  corresponding  to  and  xj ,  since  they  arc  negations  of 
each  other.  Therefore,  the  values  of  w  and  amax  used  in  the  proof  of  Theorem  5.4  arc  those  for  the 
system  (5.1). 

Thus,  if  we  use  the  transformation  method  of  replacing  Xj  with  x^  —  xj ,  the  values  of  w  and  amax 
used  in  the  statement  of  Theorem  5.4  arc  those  for  the  system  (5.1). 

Note,  however,  that  by  replacing  Xj  with  xj  —  xj ,  the  number  of  variables  in  the  problem  doubles, 
and  in  particular,  the  number  of  input  variables  in  the  SAT-encoding  is  doubled.  This  is  rather 
undesirable. 

Fortunately,  there  arc  two  solutions  that  avoid  the  doubling  of  variables  at  the  minor  cost  of  only  1 
extra  bit  per  variable. 

1.  The  first  solution  is  based  on  the  following  proposition  that  mirrors  Proposition  5.1. 

Proposition  5.2  A  solution  bound  d  >  0  for  system  (5.2’)  is  an  enumeration  bound  for  sys¬ 
tem  (5.1). 

Proof:  Given  a  solution  x'*  within  the  solution  bound  d  to  system  (5.2’),  we  construct  a 
solution  x*  to  system  (5.1)  by  setting  x*  —  xj*  —  xj* .  Clearly,  x*  G  [— d,  d\  for  all  j.  □ 

Thus,  we  can  restrict  our  search  to  the  hypercube  n"=i  [— d,  d\,  where  the  solution  bound  d  is 
computed  using  the  values  of  w  and  amax  for  the  system  (5.1). 

2.  The  second  solution  uses  the  following  proposition  showing  that  we  can  use  the  technique  of 
adding  a  zero  variable  xq  and  the  values  of  w  and  amax  for  the  system  (5.1),  while  paying 
only  a  minor  penalty  of  1  extra  bit  per  variable. 

Proposition  5.3  Suppose  d  >  0  is  a  solution  bound  such  that  system  (5.2’)  has  a  solution  in 
[0,  d]  iff  system  (5.1)  is  feasible.  Then,  system  (5.2)  has  a  solution  in  [0,  2d]  iff  system  (5.2’) 
has  a  solution  in  [0,  d\. 

Proof: 

(if  part):  Suppose  system  (5.2’)  has  a  solution  in  [0,d];  i.e.,  G  [0,  d\  for  all  j.  Then, 

we  construct  a  satisfying  assignment  to  system  (5.2)  as  follows: 

•  x'o  is  assigned  the  value  max?  xf . 

•  Xj ,  for  j  >  0,  is  assigned  the  value  +  (xo  —  xj). 

Since  0  <  (x'o  —  x'7  )  <  d,  we  can  conclude  that  0  <  xy  <  2d  for  all  j.  It  is  easy  to  see  that 
the  resulting  assignment  satisfies  system  (5.2). 


64 


CHAPTER  5.  QUANTIFIER-FREE  PRESB URGER  ARITHMETIC 


(only  if  part):  Suppose  system  (5.2)  has  a  solution  in  [0, 2d].  This  means  that  the  original 
system  (5.1)  is  feasible.  It  follows  that  system  (5.2’)  has  a  solution  in  [0,  d\. 

□ 

In  both  solutions,  we  must  search  2d  +  1  values  for  each  variable  xj,  1  <  j  <  n.  However,  the 
former  avoids  the  need  to  add  xq,  and  hence  will  have  fewer  input  variables  in  the  SAT-encoding. 
Hence,  the  former  solution  is  preferable. 

The  reader  must  note,  though,  that  this  optimization  is  only  relevant  when  the  introduction  of  the 
zero  variable  (significantly)  affects  the  value  of  amax.  (The  impact  on  w  is  minor.)  If  the  value  of 
amax  is  unaffected  by  the  introduction  of  the  zero  variable  j;0,  using  xq  can  result  in  a  more  compact 
SAT-encoding  than  using  an  enumeration  domain  of  [—d.  d]  for  each  variable.  If  one  uses  the  xq 
variable,  one  introduces  logo?  input  Boolean  variables  for  xq  in  the  SAT-encoding.  On  the  other 
hand,  without  the  xq  variable,  one  introduces  n  additional  Boolean  variables  to  encode  sign  bits. 
The  relative  size  of  the  SAT-encoding,  and  hence  the  decision  to  introduce  x o ,  would  depend  on 
whether  n  exceeds  log  d. 

Product  of  k  largest  coefficients  and  widths 

There  is  a  simpler  optimization  which  we  have  found  to  be  useful  in  practice. 

In  the  proof  of  Theorem  5.4,  in  deriving  the  (amax  •  w)k  term,  we  have  assumed  the  worst-case 
scenario  of  each  term  in  the  determinant  expansion  equaling  amaxk  and  there  being  w  terms  to 
choose  from  in  each  row. 

In  fact,  we  can  replace  amaxk  with  nf=i  ®ma xi-  where  amaxi  denotes  the  largest  coefficient  in  row 
i,  in  absolute  value.  Similarly,  wk  can  be  replaced  with  wt ,  where  Wi  is  the  width  of  constraint  i. 

5.4.3  Large  Constant  Terms 

For  some  formulas,  the  value  of  &max  is  very  large  due  to  the  presence  of  a  single  large  constant  (or 
very  few  of  them).  In  such  cases,  a  less  conservative  analysis  or  other  problem  transformations  arc 
useful.  We  present  two  such  techniques  here. 

Product  of  s  largest  constants 

It  is  easy  to  see  that,  in  the  proof  of  Theorem  5.4,  the  s  bmax  term  can  be  replaced  by  [  bl}  |, 
where  bn  .  bl2 . . . .  ,  b,s  arc  the  s  largest  elements  of  b  in  absolute  value.  Similarly,  the  expression  for 
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A  derived  in  Theorem  5.7  gets  modified  to 

A=  +  i)')  •  (am axw)k 

S= i  ' 

This  optimization,  like  that  of  Section  5.4.2,  has  also  proved  fairly  useful  in  practice. 

Shift  of  origin 

Another  transformation  that  can  be  useful  for  dealing  with  large  constant  terms  is  to  replace  a 
variable  Xj  by  Xj  —  ay;  this  corresponds  to  shifting  the  origin  in  W1  by  ay  along  the  ay-axis. 

The  Th  constraint  is  then  transformed  into  Yljai,j(xj  ~  aj)  —  h, ■  Rewriting  this,  we  obtain  the 
form  Yjj  ai,jxj  >  K’  where  b[  -  hi  +  (£L  ai,jaj )■ 

The  new  value  of  6max,  after  the  transformation,  is  max,  |  b't  j .  Therefore,  we  wish  to  find  values  of 
ay  s  so  as  to  minimize  the  value  of  max,;  ]f/j. 

This  problem  can  be  phrased  as  the  following  integer  linear  program: 


subject  to 

mm  z 

z 

> 

bi  +  (Y.  dijotj ) 
j 

1  <  i  <  m 

z 

> 

—hi  —  (Yj  az,:ia:i) 
j 

1  <  i  <  m 

z 

> 

0 

z  £  Z,  ay  G  Z  for  1  <  j 

<  n 

The  above  ILP  has  n  +  1  variables  and  2m  +  1  constraints  (including  the  non-negativity  constraint 
on  z). 

In  fact,  one  can  write  one  such  ILP  for  each  variable  class,  since  they  do  not  share  any  variables  or 
constraints.  Then,  the  optimum  value  for  each  class  will  indicate  the  new  value  of  bmax  to  use  for 
that  class. 

5.5  Experimental  Evaluation 

We  used  the  bound  derived  in  the  previous  section  to  implement  a  decision  procedure  based  on 
small-domain  encoding.  We  describe  the  implementation  decisions  in  Section  5.5.1  and  present  a 
detailed  experimental  evaluation  in  Section  5.5.2. 
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5.5.1  Implementation 

The  decision  procedure  starts  by  analyzing  the  formula  to  obtain  parameters,  and  computes  the  so¬ 
lution  bound.  We  found  that  the  optimizations  of  Section  5.4. 1  and  the  first  half  of  Section  5.4.2  arc 
always  useful,  especially  since  formulas  tend  to  contain  many  variables  classes  comprising  of  only 
difference  constraints.  Hence,  our  base-line  implementation  always  includes  these  optimizations. 
The  impact  of  other  optimizations  is  studied  in  Section  5.5.2. 

Given  the  solution  bound  defining  a  finite  range  of  values,  integer  variables  in  the  QFP  formula  arc 
encoded  as  symbolic  bit-vectors  (in  twos  complement  encoding)  large  enough  to  express  any  inte¬ 
ger  value  within  that  range.  Arithmetic  operators  arc  implemented  as  arbitrary-precision  bit-vector 
arithmetic  operations.  In  our  implementation,  we  used  a  ripple-carry  adder  circuit  for  encoding 
the  “+”  and  ”  operators,  a  shift-and-add  circuit  to  encode  multiplication  by  a  constant.  Equal¬ 
ities  and  inequalities  over  integer  expressions  are  translated  to  comparator  circuits  over  bit-vector 
expressions.  The  resulting  Boolean  formula  is  passed  as  input  to  a  SAT  solver. 

We  implemented  our  procedure  as  paid  of  the  UCLID  verifier  [156],  which  is  written  in  Moscow 
ML  [103].  In  our  implementation  we  used  the  zChaff  SAT  solver  [169]  version  2003.7.22.  In  the 
sequel,  we  will  refer  to  our  decision  procedure  as  the  “UCLID”  procedure. 

5.5.2  Experimental  Results 

We  report  here  on  a  series  of  experiments  we  performed  to  evaluate  our  decision  procedure  against 
other  theorem  provers,  as  well  as  to  assess  the  impact  of  the  various  optimizations  discussed  in 
Section  5.4. 

All  experiments  were  performed  on  a  Pentium-IV  2  GHz  machine  with  1  GB  of  RAM  running 
Linux.  A  timeout  of  3600  seconds  (1  hour)  was  imposed  on  each  run. 

Benchmarks 

Lor  benchmarks,  we  used  10  formulas  from  the  Wisconsin  Safety  Analyzer  (WiSA)  project  on 
checking  format  string  vulnerabilities,  and  3  generated  by  the  Blast  software  model  checker.  The 
benchmarks  include  both  satisfiable  and  unsatisfiable  formulas  in  an  extension  of  QLP  with  uninter¬ 
preted  functions.  Uninterpreted  functions  were  first  eliminated  using  Ackermann’s  technique  [2], 4 
and  the  decision  procedures  were  run  on  the  resulting  QLP  formula. 

4  Ackermann’s  function  elimination  method  replaces  each  function  application  by  a  fresh  variable,  and  then  instantiates 
the  congruence  axiom  for  those  applications.  For  instance,  the  formula  f(x )  =  f(y )  is  translated  to  the  function-free 
formula  u/j  =  vf2  A  (x  =  y  vfl  =  vf2). 
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Some  characteristics  of  the  formulas  are  displayed  in  Table  5.3.  For  each  formula,  we  indicate 
whether  it  is  satisfiable  or  not.  We  give  the  values  of  parameters  n,  m,  k,  w,  amax  and  bmax 
corresponding  to  the  variable  class  for  which  S  —  [log[(n  +  2)A]~|  is  largest,  i.e,  for  which  we 
need  the  largest  number  of  bits  per  variable.  The  values  of  the  parameters  for  the  overall  formula 
are  also  given  (although  these  arc  not  used  in  computing  S  for  any  variable  class);  thus,  the  values  of 
m  and  n  in  these  columns  arc  the  total  numbers  of  variables  and  constraints  for  the  entire  formula. 

The  top  10  formulas  listed  in  the  table  arc  from  the  WiSA  project.  One  key  characteristic  of  these 
formulas  is  that  they  involve  a  significant  number  of  Boolean  operators  (A,  V,  — >),  and  in  particular 
there  is  a  lot  of  alternation  of  A  and  V.  The  other  important  characteristic  of  these  benchmarks  is 
that,  although  they  vary  in  n,  m,  and  6max,  the  values  of  k,  w,  and  amax  arc  fixed  at  a  small  value. 

Three  formulas  from  the  Blast  suite  arc  listed  at  the  bottom  of  Table  5.3.  All  these  formulas  arc 
unsatisfiable.  Each  formula  is  a  conjunction  of  two  sub-formulae:  a  large  conjunction  of  linear 
constraints,  and  a  conjunction  of  congruence  constraints  generated  by  Ackermann’s  function  elimi¬ 
nation  method.  Thus,  there  is  only  one  alternation  of  A  and  V  in  these  formulas. 


Formula 

Ans. 

Parameters  corr.  to  max.  S 

Max.  parameters  overall 

n 

m 

k 

w 

^max 

^max 

S 

n 

m 

k 

w 

^max 

^max 

s-20-20 

SAT 

28 

263 

5 

4 

4 

wm 

36 

64 

550 

5 

4 

4 

255 

s-20-30 

SAT 

28 

263 

5 

4 

4 

36 

64 

550 

5 

4 

4 

255 

s-20-40 

UNS 

28 

263 

5 

4 

4 

40 

37 

64 

550 

5 

4 

4 

255 

s-30-30 

SAT 

38 

383 

5 

4 

4 

31 

37 

82 

800 

5 

4 

4 

255 

s-30-40 

SAT 

38 

383 

5 

4 

4 

40 

37 

82 

800 

5 

4 

4 

255 

xs-20-20 

SAT 

49 

323 

5 

4 

4 

21 

37 

84 

632 

5 

4 

4 

255 

xs-20-30 

SAT 

49 

323 

5 

4 

4 

30 

38 

84 

632 

5 

4 

4 

255 

xs-20-40 

UNS 

49 

323 

5 

4 

4 

40 

38 

84 

632 

5 

4 

4 

255 

xs-30-30 

SAT 

69 

473 

5 

4 

4 

31 

39 

114 

922 

5 

4 

4 

255 

xs-30-40 

SAT 

69 

473 

5 

4 

4 

40 

39 

114 

922 

5 

4 

4 

255 

blast-tl2 

UNS 

54 

67 

7 

3 

1 

0 

24 

145 

274 

7 

3 

1 

128 

blast-tl3 

UNS 

201 

2669 

19 

6 

1 

15 

70 

260 

2986 

19 

6 

1 

128 

blast-f8 

UNS 

255 

6087 

2 

1 

2560 

20 

321 

7224 

2 

1 

2560 

Table  5.3:  Benchmark  characteristics.  The  top  half  of  the  table  consists  of  the  WiSA  benchmarks 
and  the  bottom  three  arc  generated  by  the  Blast  software  verifier. 


Impact  of  optimizations 

In  this  section,  we  discuss  the  impact  of  optimizations  discussed  in  Sections  5.4.2  and  5.4.3. 
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Table  5.4  compares  the  following  4  different  encoding  options  based  on  different  ways  of  computing 
the  solution  bound: 

Base:  The  base-line  method  of  computing  the  solution  bound. 

Coeff:  Using  the  optimization  of  Section  5.4.2  alone. 

Const:  Using  the  optimization  of  Section  5.4.3  alone. 

All:  Using  optimization  methods  of  both  Sections  5.4.2  and  5.4.3. 

The  comparison  is  made  with  respect  to  the  largest  number  of  bits  needed  for  any  variable  class, 
and  the  run-times  for  both  generating  the  SAT-encoding  and  for  SAT  solving. 

First,  we  note  that  Coeff  and  Const  both  generate  more  compact  encodings  than  Base;  on  the 
WiSA  benchmarks,  they  use  about  5-10  fewer  bits  per  variable  in  the  largest  variable  class.  The 
reduction  in  the  total  number  of  bits,  summed  over  all  variables  in  all  variable  classes,  is  similar; 
since  most  variables  fall  into  a  single  class. 

The  encoding  times  decrease  with  reduction  in  number  of  bits;  this  is  just  as  one  would  expect. 

However,  the  comparison  of  SAT  solving  times  is  more  mixed;  on  a  few  benchmarks  Coeff  and 
Const  outperform  Base,  and  on  others,  they  do  worse.  The  latter  behavior  is  observed  especially 
on  satisfiable  formulas.  The  reason  for  this  might  be  the  relative  ease  in  finding  larger  solutions  for 
those  formulas  than  finding  smaller  solutions. 

When  Coeff  and  Const  arc  both  used  (indicated  as  “All”),  we  find  that  not  only  arc  encoding  times 
smaller  than  the  Base  technique,  but  SAT  solving  times  arc  also  smaller  in  all  cases  except  one, 
where  the  difference  is  only  minor.  This  seems  to  indicate  that  a  reduction  in  SAT-encoding  size 
beyond  a  certain  limit  overcomes  any  negative  effects  of  restricting  the  search  to  smaller  solutions. 

We  also  performed  an  experiment  to  explore  the  use  of  the  shift-of-origin  optimization  described  in 
Section  5.4.3.  UCLID  automatically  formulated  the  ILP  and  invoked  CPLEX  [46],  an  integer  linear 
programming  solver  (version  8.1),  to  solve  it.  Since  none  of  the  benchmarks  listed  in  Table  5.3  have 
especially  large  constants,  we  used  a  different,  unsatisfiable  formula  from  the  Blast  suite  which  has 
only  difference  constraints,  but  with  large  constants. 

Table  5.5  summarizes  the  key  characteristics  of  this  formula  as  well  as  the  results  obtained  by  corn- 
paling  versions  of  the  base-line  (Base)  implementation  with  and  without  the  optimization  enabled. 
We  list  the  values  of  parameters,  with  and  without  the  shift-of-origin  optimization  enabled,  for  the 
variable  classes  that  yield  the  two  largest  values  of  S  when  the  optimization  is  disabled. 

With  the  optimization  turned  on,  the  largest  constant  in  the  entire  formula  falls  from  261133242 
to  432539,  a  600-fold  reduction.  However,  if  we  restrict  our  attention  to  the  largest  variable  class, 
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Formula 

Ans. 

Max.  #bits/var. 

Encoding  Time  (sec.) 

SAT  Time  (sec.) 

Base 

M— 

M— 

CD 

O 

O 

u 

< 

Base 

H— 

W— 

0 

O 

O 

H 

< 

Base 

H— 

M— 

0 

O 

O 

■ 

< 

s-20-20 

SAT 

36 

26 

31 

21 

1.66 

1.25 

1.27 

1.00 

5.41 

9.28 

8.34 

0.48 

s-20-30 

SAT 

36 

26 

31 

22 

1.72 

1.24 

1.32 

1.02 

3.99 

2.28 

4.82 

0.50 

s-20-40 

UNS 

37 

27 

32 

22 

1.72 

1.28 

1.30 

1.03 

1.37 

1.35 

0.92 

0.87 

s-30-30 

SAT 

37 

27 

32 

22 

2.27 

1.90 

1.99 

1.57 

17.22 

0.88 

14.31 

9.57 

s-30-40 

SAT 

37 

28 

32 

23 

2.39 

1.96 

2.03 

1.55 

20.17 

8.22 

4.80 

11.99 

xs-20-20 

SAT 

37 

28 

32 

22 

2.29 

1.88 

1.93 

1.55 

17.67 

21.62 

11.67 

7.15 

xs-20-30 

SAT 

38 

28 

32 

23 

2.29 

1.95 

2.00 

1.61 

23.21 

18.19 

1.50 

7.18 

xs-20-40 

UNS 

38 

29 

33 

23 

2.41 

1.99 

2.04 

1.59 

7.32 

8.60 

10.55 

8.01 

xs-30-30 

SAT 

39 

29 

33 

23 

3.84 

2.71 

2.89 

2.17 

79.10 

18.40 

20.16 

27.92 

xs-30-40 

SAT 

39 

30 

33 

24 

3.76 

2.83 

2.67 

2.12 

27.60 

45.63 

13.36 

13.45 

blast-tl2 

UNS 

24 

24 

19 

19 

1.54 

wmm 

1.10 

■EB 

0.05 

0.04 

0.03 

0.03 

blast-tl3 

UNS 

70 

53 

62 

46 

29.98 

0.78 

0.54 

0.66 

0.46 

blast-f8 

UNS 

20 

20 

12 

12 

18.37 

IBS 

H 

6.22 

6.15 

2.63 

2.29 

Table  5.4:  An  experimental  evaluation  of  encoding  optimizations.  We  compare  the  4  different 
UCLID  encoding  options  with  respect  to  the  maximum  number  of  bits  needed  for  any  integer  vari¬ 
able  (“Max.  #bits/var.”),  the  time  taken  to  generate  the  Boolean  encoding,  and  the  time  taken  by  the 
SAT  solver. 


comprising  230  variables,  the  reduction  in  6max  is  more  modest,  about  a  factor  of  4.  This  yields  a 
saving  of  2  bits  per  variable  for  that  variable  class.  The  saving  in  the  total  number  of  bits,  summed 
over  all  variable  classes,  is  677.  This  is,  however,  not  large  enough  to  reduce  either  the  encoding 
time  or  the  SAT  time.  In  fact,  the  encoding  time  increases  by  about  a  second;  this  is  the  time  required 
to  run  CPLEX  and  for  the  processing  overhead  of  creating  the  ILP. 

Even  though  the  shift-of-origin  optimization  has  not  resulted  in  faster  run-times  in  our  experiments, 
it  clearly  has  the  potential  to  greatly  reduce  the  number  of  bits,  and  might  prove  useful  on  other 
benchmarks. 


Comparison  with  other  theorem  provers 

We  compared  UCLID's  performance  with  that  of  the  SAT-based  provers  ICS  [80]  (version  2.0)  and 
CVC-Lite  [48]  (the  new  implementation  of  CVC,  version  1.1.0),  as  well  as  the  automata-based 
procedure  LASH  [92].  While  CVC-Lite  and  LASH  are  sound  and  complete  for  QLP,  ICS  2.0 
is  incomplete;  i.e.,  it  can  report  a  formula  to  be  satisfiable  when  it  is  not.  The  ground  decision 
procedure  ICS  uses  is  the  Simplex  linear-  programming  algorithm  with  some  additional  heuristics  to 
deal  with  integer  variables.  However,  in  our  experiments,  both  UCLID  and  ICS  returned  the  same 
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Shift-of-origin 

Param.  for  largest  S 

Param.  for  2nd  largest  S 

Total 

Time  (sec.) 

enabled? 

n 

m 

^max 

m 

^max 

S 

#bits 

Enc. 

SAT 

No 

230 

6417 

2162688 

29 

2 

261133242 

28 

7510 

24.68 

0.70 

Yes 

230 

6417 

432539 

27 

IB 

2 

0 

1 

6833 

25.78 

0.71 

Table  5.5:  Evaluating  the  shift-of-origin  optimization.  We  list  the  values  of  parameters  corre¬ 
sponding  to  variable  classes  with  the  two  largest  values  of  S,  as  computed  without  the  shift-of-origin 
optimization.  “Total  #bits”  indicates  the  number  of  bits  needed  to  encode  all  integer  variables.  En¬ 
coding  time  is  indicated  as  “Enc.”  and  SAT  solving  time  as  “SAT”. 

answer  whenever  ICS  terminated  within  the  timeout.  The  ground  decision  procedure  for  CVC-Lite 
is  a  proof-producing  valiant  of  the  Omega  test  [17]. 

LASH  was  unable  to  complete  on  any  benchmark  within  the  timeout  since  it  was  unable  to  con¬ 
struct  the  corresponding  automata;  we  attribute  this  to  the  relatively  large  number  of  variables  and 
constraints  in  our  formulas,  and  note  that  Ganesh  et  al.  obtained  similar  results  in  their  study  [59]. 

A  comparison  of  UCLID  versus  ICS  and  CVC-Lite  is  displayed  in  Table  5.6.  From  Table  5.6, 
we  observe  that  UCLID  outperforms  ICS  on  all  the  WiSA  benchmarks,  terminating  well  within  a 
minute  on  each  one.  However,  ICS  performs  best  on  the  Blast  formulas,  finishing  within  a  fraction 
of  a  second  on  all.  CVC-Lite  does  not  outperform  the  other  procedures  on  any  formula,  and  was 
unable  to  complete  on  any  of  the  WiSA  benchmarks.  We  suspect  that  this  time  is  being  mainly  spent 
in  the  ground  decision  procedure  based  on  the  Omega  test,  but  have  been  unable  to  obtain  detailed 
statistics. 

Let  us  consider  the  WiSA  benchmarks  first.  These  formulas  have  a  complicated  Boolean  structure 
that  requires  ICS  to  enumerate  many  inconsistent  Boolean  assignments  before  being  able  to  decide 
the  formula.  The  ICS  run-time  is  dominated  by  the  time  taken  by  the  ground  decision  procedure. 
We  observe  that  the  number  of  inconsistent  Boolean  assignments  alone  is  not  a  precise  indicator  of 
total  run-time,  which  also  depends  on  the  time  taken  by  the  ground  decision  procedure  in  ruling  out 
a  single  Boolean  assignment. 

The  reason  for  UCLID's  superior  performance  is  the  formula  structure,  where  k,  w,  and  amax 
remain  fixed  at  a  low  value  while  m,  n,  and  6max  increase.  Thus,  the  maximum  number  of  bits  per 
variable  stays  about  the  same  even  as  m  increases  substantially,  and  the  resulting  SAT  problem  is 
within  the  capacity  of  zChaff.  Also,  for  these  benchmarks,  the  SAT  time  is  almost  always  the  larger 
portion  of  UCLID's  run-time;  this  is  not  surprising  since  Boolean  structure  of  the  original  formula  is 
non-trivial,  and  moreover,  the  time  to  compute  the  parameter  values  and  generate  the  SAT-encoding 
is  polynomial  in  the  input  size. 

Next,  consider  the  results  on  the  Blast  formulas.  The  reason  for  ICS’s  superior  performance  on 
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Formula 

Ans. 

UCLID  Time 

(sec.) 

ICS 

CVC-Lite 

#(Inc. 

Time  (sec.) 

Total  Time 

(sec.) 

Enc. 

SAT 

Total 

assn.) 

Ground 

Total 

s-20-20 

SAT 

1.13 

1.02 

2.15 

904 

23.32 

23.76 

* 

s-20-30 

SAT 

1.17 

1.02 

2.19 

1887 

51.68 

52.29 

* 

s-20-40 

UNS 

1.16 

1.35 

2.51 

25776 

658.01 

669.99 

* 

s-30-30 

SAT 

1.73 

11.12 

12.85 

2286 

268.21 

269.42 

* 

s-30-40 

SAT 

1.77 

13.81 

15.58 

14604 

1621.27 

1625.15 

* 

xs-20-20 

SAT 

1.63 

8.38 

10.01 

2307 

97.21 

98.32 

* 

xs-20-30 

SAT 

1.50 

7.22 

8.72 

33103 

1519.77 

1540.27 

* 

xs-20-40 

UNS 

1.65 

8.84 

10.49 

97427 

3468.91 

* 

* 

xs-30-30 

SAT 

2.26 

29.73 

31.99 

72585 

3287.47 

* 

* 

xs-30-40 

SAT 

2.32 

15.65 

17.97 

33754 

3082.34 

* 

* 

blast-tl2 

UNS 

1.08 

0.03 

1.11 

1 

0.01 

0.01 

1.38 

blast-tl3 

UNS 

17.57 

0.46 

18.03 

0 

0.00 

0.01 

37.77 

blast-f8 

UNS 

10.68 

2.29 

12.97 

1 

0.01 

0.05 

179.43 

Table  5.6:  Experimental  comparison  with  other  theorem  provers.  The  UCLID  version  is  the  one 
with  all  optimizations  turned  on  (“All”).  For  ICS,  we  give  the  total  time,  the  number  of  inconsistent 
Boolean  assignments  analyzed  by  the  ground  decision  procedure  (“#(Inc.  assn.)”),  as  well  as  the 
overall  time  taken  by  the  ground  decision  procedure  (“Ground”).  For  CVC-Lite,  we  indicate  the 
total  run-time.  A  indicates  that  the  decision  procedure  timed  out  after  3600  sec.  LASH  did  not 
complete  within  the  timeout  on  any  formula. 


these  can  be  gauged  by  the  number  of  inconsistent  Boolean  assignments  it  has  to  enumerate.  On 
the  formula  named  “blast-tl3”,  purely  Boolean  reasoning  suffices  to  decide  unsatisfiability.  For  the 
other  two  formulas,  the  reason  for  unsatisfiability  is  a  mutually-inconsistent  subset  amongst  all  the 
lineal-  constraints  that  are  conjoined  together,  and  a  single  call  to  ICS’s  ground  decision  procedure 
suffices  to  infer  the  inconsistency. 

On  the  other  hand,  UCLID's  run-time  is  dominated  by  the  encoding  time.  Once  the  encoding  is 
generated,  the  SAT  solver  decides  unsatisfiability  easily. 

To  summarize,  it  appeal's  that  decision  procedures  based  on  a  lazy  translation  to  SAT,  such  as  ICS, 
are  effective  when  the  formula  structure  is  such  that  only  a  few  calls  to  the  ground  decision  pro¬ 
cedure  are  required.  UCLID  performs  better  on  formulas  with  complicated  Boolean  structure  and 
comprising  linear  constraints  with  the  sparse  structure  formalized  in  this  chapter. 
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5.6  Discussion 

We  have  presented  a  formal  approach  to  exploiting  the  “sparse,  mainly  difference  constraint”  nature 
of  quantifier-free  Presburger  formulas  encountered  in  software  verification.  Our  approach  is  based 
on  formalizing  this  sparse  structure  using  new  parameters,  and  deriving  a  new  parameterized  bound 
on  satisfying  solutions  to  QFP  formulas.  We  have  also  proposed  several  ways  in  which  the  bound 
can  be  reduced  in  practice.  Experimental  results  show  the  benefits  of  using  the  derived  bound  in  a 
SAT-based  decision  procedure  based  on  small-domain  encoding. 

Table  5.7  summarizes  the  value  of  d  for  all  the  classes  of  linear  constraints  explored  in  this  thesis. 
We  can  clearly  see  that  the  bound  derived  in  this  chapter  for  quantifier-free  Presburger  arithmetic  is 


Class  of  Finear  Constraints 

Solution  Bound  d 

Difference  constraints 

Tl  '  (^max  T  1) 

Generalized  2SAT  constraints 

2  ■  n  ■  (6max  T  1) 

Arbitrary  linear  constraints 

(n  +  2)  •  min(n  +  1,  to)  •  (bmax  +  1)  ■  {w  ■  amax)k 

Table  5.7:  Solution  bounds  for  classes  of  linear  constraints.  The  classes  arc  listed  top  to  bottom 
in  increasing  order  of  expressiveness. 

conservative.  For  example,  if  all  constraints  arc  difference  constraints,  the  expression  for  d  derived 
in  this  chapter  simplifies  to  (n  +  2)  •  min(n  +  1,  to)  ■  (6max  +  1)-  This  is  n  +  2  times  as  big  as 
the  bound  derived  in  Chapter  3;  note  that  the  looseness  in  the  bound  is  a  cany-over  from  the  result 
of  Borosh,  Treybig,  and  Flahive.  For  generalized  2SAT  constraints,  the  bound  derived  for  arbitrary 
QFP  is  much  looser.  In  the  worst  case,  it  is  looser  by  an  exponential  factor:  if  k  is  0(m ),  amax  is  1, 
and  w  is  2,  then  the  bound  is  0((n  +  2)  •  min(n  +  1,  to)  ■  (bmax  +  1)  ■  2m),  whereas  the  results  of 
Chapter  4  tell  us  that  the  solution  bound  d  —  2  ■  n  ■  (bmax  +  1)  suffices  (since  n  ■  (hmax  +  1)  is  an 
enumeration  bound). 

Due  to  the  conservative  nature  of  the  bound  derived  in  this  chapter,  and  in  spite  of  the  many  opti¬ 
mizations  discussed,  the  computed  solution  bound  can  generate  a  SAT  problem  beyond  the  reach  of 
current  solvers.  The  latter  situation  can  also  arise  for  problem  domains  that  do  not  generate  sparse 
lineal-  constraints.  There  is  therefore  a  need  for  an  efficient  algorithm  to  compute  a  tighter  solution 
bound. 

Recent  work  by  the  author  and  colleagues  [87],  implemented  in  UCFID,  presents  one  approach 
towards  computing  a  tighter  solution  bound.  The  central  idea  is  to  compute  the  solution  bound 
incrementally,  starting  with  a  small  bound  and  increasing  it  “on  demand”.  Figure  5.1  outlines  this 
lazy  approach  to  computing  the  solution  bound. 

Given  a  QFP  formula  Fqjp ,  we  start  with  an  encoding  size  for  each  integer  variable  that  is  smaller 
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QFP  Formula  Satisfiable  QFP  Formula  Unsatisfiable 


Figure  5.1:  Lazy  approach  to  computing  solution  bound 

than  that  prescribed  by  the  conservative  bound  (say,  for  example,  1  bit  per  variable). 

If  the  resulting  Boolean  formula  is  satisfiable,  so  is  Fqjp .  If  not,  the  proof  of  unsatisfiability  gener¬ 
ated  by  the  SAT  solver  is  used  to  generate  a  sound  abstraction  F'qjp  of  Fqjp .  A  sound  abstraction  is 
a  formula,  usually  much  smaller  than  the  original,  such  that  if  it  is  unsatisfiable,  so  is  the  original 
formula.  A  sound  and  complete  decision  procedure  for  QFP  (such  as  the  one  proposed  in  this  chap¬ 
ter)  is  then  used  on  Kir  If  this  decision  procedure  concludes  that  F'^p  is  unsatisfiable,  so  is  Fqjp . 
If  not,  it  provides  a  counterexample  which  indicates  the  necessary  increase  in  the  encoding  size.  A 
new  SAT-encoding  is  generated,  and  the  procedure  repeats. 

The  bound  S  on  solution  size  that  we  derive  in  this  chapter  implies  an  upper  bound  nS  on  the 
number  of  iterations  of  this  lazy  encoding  procedure;  thus  the  lazy  encoding  procedure  needs  only 
polynomially  many  iterations  before  it  terminates  with  the  correct  answer.  Of  course,  each  iteration 
involves  a  call  to  a  SAT  solver  as  well  as  to  a  decision  procedure  for  QFP. 

A  key  component  of  this  lazy  approach  is  the  generation  of  the  sound  abstraction.  While  the  details 
are  outside  the  scope  of  this  thesis,  we  sketch  one  approach  here.  (Details  can  be  found  in  [87].) 
Assume  that  Fqjp  is  in  conjunctive  normal  form  (CNF);  thus,  Fqjp  can  be  viewed  as  a  set  of  clauses, 
each  of  which  is  a  disjunction  of  linear  constraints  and  Boolean  literals.  A  subset  of  this  set  of 
clauses  is  a  sound  abstraction  of  Fqjp .  This  subset  is  computed  by  retaining  only  those  clauses  from 
the  original  set  that  contribute  to  the  proof  of  unsatisfiability  of  the  SAT-encoding. 


74 


CHAPTER  5.  QUANTIFIER-FREE  PRESB URGER  ARITHMETIC 


The  potential  advantage  of  this  lazy  approach  is  twofold:  (1)  It  avoids  using  the  conservative  bounds 
we  have  derived  in  this  chapter,  and  (2)  if  the  generated  abstractions  arc  small,  the  sound  and 
complete  decision  procedure  used  by  this  approach  will  run  much  faster  than  if  it  were  fed  the 
original  formula. 

For  the  WiSA  benchmarks  discussed  in  Section  5.5,  we  found  that  a  solution  bound  of  28  —  1,  i.e.,  8 
bits  per  variable,  is  sufficient  to  decide  satisfiability.  However,  the  time  required  to  derive  this  bound 
using  the  method  of  [87]  is  much  greater  than  the  run-times  we  report  in  Section  5.5.  Still,  the  lazy 
approach  can  prove  especially  useful  in  cases  in  which  S  is  so  large  that  the  SAT  problem  is  outside 
the  reach  of  current  SAT  solvers.  Among  other  things,  there  is  potential  to  improve  its  efficiency  by 
using  an  incremental  SAT  solver  in  the  loop. 


Chapter  6 


Automated  Selection  of  Boolean 
Encoding 


Chapter  3  introduced  two  very  distinct  methods  of  deciding  a  difference  logic  formula  via  translation 
to  SAT.  This  naturally  gives  rise  to  the  following  question:  Given  a  difference  logic  formula,  which 
encoding  technique  should  one  use  to  decide  that  formula  the  fastest? 

In  this  chapter,  we  first  present  evidence  that  this  question  cannot  be  resolved  entirely  in  favor  of 
either  method.  We  then  show  that  one  can  select  an  encoding  method  based  on  formula  character¬ 
istics  using  a  rule  generated  by  machine  learning  from  past  examples  (formulas).  Moreover,  parts 
of  a  single  formula  corresponding  to  different  variable  classes  can  be  encoded  using  different  en¬ 
coding  methods.  The  resulting  hybrid  encoding  algorithm  is  more  robust  to  variation  in  formula 
characteristics  than  either  of  the  two  techniques  of  Chapter  3. 


6.1  The  Need  for  Algorithm  Selection 

An  experimental  study  comparing  the  small-domain  (SD)  and  Direct  encoding  methods  over  a 
range  of  benchmarks  indicates  that  neither  method  dominates  the  other  in  run-time  performance. 
Section  6.1.1  presents  the  results  of  this  study.  These  findings  motivate  the  use  of  automated  algo¬ 
rithm  selection,  described  in  Section  6.1.2. 

6.1.1  Comparing  the  SD  and  Direct  Methods 


We  compare  the  space  and  time  complexity  of  the  SD  and  Direct  decision  procedures  with  respect 
to  both  encoding  and  SAT-solving  steps. 
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Let  us  first  compare  the  encoding  steps  of  the  two  decision  procedures.  The  SD  encoding  algorithm 
runs  in  polynomial  time  and  generates  a  SAT  problem  that  is  polynomial-size  in  the  original  formula. 
On  the  other  hand,  the  Direct  encoding  can  generate,  in  the  worst  case,  a  SAT  problem  that  is 
exponential  in  the  size  of  the  original  formula  (this  is  due  to  a  worst-case  exponential  number  of 
transitivity  constraints;  see  Example  3.4). 

The  above  comparison  suggests  always  favoring  SD  over  Direct,  since  the  SD  encoding  phase 
is  polynomial-time  and  the  SAT  instance  is  polynomial-size  in  the  input.  Unfortunately,  such  a 
simple  judgement  cannot  be  made.  First,  theoretical  worst-case  results  do  not  always  reflect  practice. 
Second,  the  run-times  of  SAT  solvers  do  not  always  increase  monotonically  with  the  size  of  the 
SAT  instance.  In  this  section,  we  present  experimental  evidence  supporting  the  latter  behavior, 
which  has  also  been  observed  in  other  contexts  (e.g.,  [77, 126]).  We  will  also  formally  characterize 
the  structure  of  the  SAT  instances  generated  by  the  Direct  encoding  method,  showing  that  even 
when  they  are  bigger  than  those  generated  by  the  SD  method,  the  special  structure  of  the  Direct 
encoding  method  makes  the  SAT  time  only  polynomially-dependent  on  the  number  of  transitivity 
constraints. 

Note  also  that  both  encoding  methods  can  generate  arbitrary  SAT  instances.  For  example,  when  the 
starting  formula  is  purely  Boolean,  both  methods  generate  identical  output. 

Experimental  setup 

All  experiments  reported  in  this  chapter  were  based  on  a  set  of  49  difference  logic  formulas, 1  all 
but  4  of  which  are  unsatisfiable.  These  formulas  are  drawn  from  problems  encountered  in  both 
hardware  and  software  design  verification.  The  hardware  designs  include  the  load-store  unit  of  an 
industrial  microprocessor,  an  out-of-order  microprocessor  design  [89],  a  cache  coherence  proto¬ 
col  [61],  and  a  5-stage  DLX  pipeline.  The  software  benchmarks  arc  generated  in  the  verification  of 
safety  properties  of  device  driver  code  [68],  and  in  translation  validation  [123]. 

Experiments  were  run  on  a  Pentium-IV  2  GHz  machine  with  1  GB  of  RAM.  A  timeout  of  3600 
seconds  (one  hour)  was  imposed  on  each  run.  For  the  SAT  solving  phase,  we  used  the  zChaff  SAT 
solver  (version  2003.7)  with  the  default  options. 

Analysis  of  results 

Figure  6. 1  shows  a  scatterplot  comparing  the  total  run-time  (encoding  time  and  SAT  time)  for  both 
encoding  methods.  In  the  plot,  the  x-coordinate  of  each  point  is  the  time  taken  by  Direct,  and  the 
y-coordinate  is  the  time  taken  by  SD.  We  also  plot  the  diagonal  line  y  —  x  in  each  plot. 

*The  formulas  originally  also  included  applications  of  uninterpreted  functions,  but  these  are  first  eliminated  using  the 
method  proposed  by  Bryant  et  al.  [29].  This  method  is  reviewed  in  Chapter  7. 
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Figure  6.1:  Comparing  SD  and  Direct  encoding  methods.  Note  the  log  scales  on  both  axes. 


Figure  6.2:  Comparing  SD  and  Direct  methods  when  Direct  encoding  phase  completes. 

Note  the  log  scales  on  both  axes. 

Thus,  points  above  the  diagonal  correspond  to  benchmarks  on  which  Direct  outperforms  SD,  and 
vice-versa  for  the  points  below  the  diagonal.  Note  that  some  points  arc  spaced  close  enough  to 
appeal-  superimposed  on  each  other. 
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The  SD  method  times  out  on  two  benchmarks,  whereas  the  Direct  method  does  not  complete  on 
12.  As  expected,  the  SAT  solving  phase  is  the  reason  that  the  SD  method  fails  to  finish.  On  the  other 
hand,  the  Direct  method  fails  to  reach  the  SAT  solving  phase  on  11  of  the  12  formulas  it  does  not 
finish  on. 

Figure  6.2  shows  the  scatterplot  restricted  to  the  38  benchmarks  for  which  the  Direct  method 
reaches  the  SAT  solving  stage.  It  is  evident  that  the  Direct  outperforms  SD  on  almost  all  of  these 
formulas. 

A  closer  look  at  the  data  in  Figure  6.2  reveals  the  non-monotonic  behavior  of  the  zChaff  SAT  solver. 
Table  6.1  shows  the  effect  of  the  encoding  method  on  zChaff ’s  performance  on  a  representative 
sample  of  benchmarks  from  out-of-order  processor  verification  [89].  Even  though  the  SD  method 
generates  smaller  SAT  instances,  zChaff  does  more  backtracking  and  runs  slower  on  SD-instances 
as  compared  to  DlRECT-instancs. 


Benchmark 

#  of  CNF 

#  of  CNF 

#  of  Conflict 

SAT  Time 

Variables 

Clauses 

Clauses 

(sec.) 

SD 

Direct 

SD 

Direct 

SD 

Direct 

SD 

Direct 

OOO.rf9 

14744 

15898 

43741 

47786 

84748 

7849 

152.49 

8.61 

OOO.  tag  14 

48825 

53910 

145570 

167308 

65012 

8934 

220.38 

34.59 

Table  6. 1 :  Effect  of  encoding  on  zChaff  performance.  “Conflict  Clauses”  denotes  the  conflict 
clauses  added  by  zChaff  on  backtracking. 

We  have  also  observed  the  same  behavior  for  other  solvers  based  on  the  Davis-Putnam-Logemann- 
Loveland  (DPLL)  method,  such  as  BerkMin  [63]  and  Siege  [142]. 

The  structure  of  SAT  instances  generated  by  the  Direct  method  can  be  characterized  formally. 
Recall  from  Section  3.3  that  a  transitivity  constraint  generated  in  the  Direct  encoding  algorithm 
either  has  the  form  eb\ A eb\  ==>  enl+h'2  or  the  form  e1’1.  AeC,  false.  Rewriting  the  constraint 
as  a  CNF  clause,  we  either  get  the  expression  (_,ejl)  V  (_,e*2A.)  V  ebI^b2  or  (_,e*b)  V  (_,e*2fc).  In 
either  case,  there  is  at  most  one  positive  literal  in  the  generated  CNF  clause.  In  other  words,  each 
transitivity  constraint  is  a  Horn  clause.  Since  transitivity  constraints  are  the  source  of  exponential 
blow-up  in  the  size  of  SAT  problems  generated  using  the  Direct  encoding,  one  can  characterize 
the  Direct  encoding  as  generating  mostly-Horn-SAT  problems,  in  the  worst-case. 

A  SAT  instance  comprising  only  Horn  clauses  (a  Horn-SAT  instance)  is  linear  time  solvable,  with 
unit  propagation  being  the  main  step  [38].  Thus,  in  the  worst-case,  the  run-time  of  a  SAT  solver  is 
0( 2m),  where  m  is  the  number  of  original  difference  constraints;  i.e.,  the  run-time  does  not  grow 
exponentially  in  the  number  of  transitivity  constraints. 
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Although  current  DPLL-based  SAT  solvers  such  as  zChaff  do  not  explicitly  check  for  Horn  struc¬ 
ture,  they  can  solve  mostly-Horn-SAT  instances  very  fast.  This  appeal's  to  be  mainly  due  to  the 
efficient  implementation  of  unit  propagation. 

Discussion 

We  conclude  this  section  with  a  summary  of  our  findings.  We  note  that: 

1.  The  performance  of  DPLL-based  SAT  solvers  on  instances  generated  using  the  Direct  en¬ 
coding  algorithm  is  superior  to  their  performance  on  instances  generated  using  the  SD  encod¬ 
ing,  even  when  the  latter  instances  are  larger. 

2.  The  Direct  encoding  algorithm  can,  in  the  worst-case,  generate  a  SAT  problem  that  is  ex¬ 
ponentially  large  in  the  original  difference  logic  formula;  moreover,  this  worst-case  behavior 
manifests  itself  in  practice  sometimes.  In  contrast,  the  SD  encoding  algorithm  always  gener¬ 
ates  a  polynomial-size  SAT  problem. 

The  bottleneck  for  the  Direct  encoding,  therefore,  is  the  Boolean  encoding  step.  In  experiments, 
we  have  observed  that  if  this  step  completes,  it  is  almost  always  the  case  that  Direct  outperforms 
SD. 

6.1.2  Automated  Algorithm  Selection 

Since  neither  one  of  SD  and  Direct  encoding  methods  dominates  the  other,  we  are  presented  with 
the  following  questions: 

1.  Given  an  input  formula  in  difference  logic,  can  we  automatically  select  the  Boolean  encoding 
method  that  is  best  for  that  formula? 

2.  Can  the  SD  and  Direct  encoding  methods  be  combined  for  the  same  formula? 

Let  us  consider  the  second  question  first.  As  we  saw  in  Chapter  3,  variables  and  constraints  can  be 
partitioned  into  equivalence  classes.  A  separate  encoding  method  can  be  used  for  each  equivalence 
class,  and  this  decision  is  independent  of  those  made  for  other  classes.  Thus,  we  can  answer  the 
second  question  in  the  affirmative. 

The  first  question  can  be  viewed  as  an  instance  of  a  more  general  problem  called  the  algorithm 
selection  problem  [129].  This  problem  is  stated  as  follows: 

Given  a  portfolio  of  algorithms  for  a  problem  and  a  specific  problem  instance,  which 
algorithm  must  one  select  to  solve  that  instance  in  the  least  amount  of  time? 
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The  algorithm  selection  problem  has  been  studied  in  various  contexts,  but  never  before  for  the 
specific  problem  we  consider.  Algorithm  selection  arises  naturally  in  the  case  of  NP-hard  problems 
due  to  the  unpredictability  of  run-times  of  heuristic-based  algorithms.  For  example,  researchers 
have  recently  considered  the  problem  of  selecting  one  of  several  different  algorithms  for  integer 
lineal-  programming  [93].  There  has  also  been  work  on  choosing  between  different  polynomial-time 
algorithms  for  a  problem,  e.g.,  for  selecting  between  sorting  algorithms  [88]. 

The  general  framework  for  algorithm  selection  is  as  follows: 

1.  Select  features  j\.  f-2-  ■  ■  ■  ■  fk  of  the  input  that  characterize  the  run-time  of  each  alternative 
algorithm.  These  features  must  be  computable  in  (low-degree)  polynomial  time.  Feature 
selection  is  typically  done  manually. 

2.  Use  machine  learning  techniques  to  derive  a  rule  r  based  on  the  features  from  a  training  set 
of  problem  instances  (formulas,  in  our  case).  Mathematically,  the  rule  is  a  function  from  the 
feature  space  to  the  set  of  candidate  algorithms. 

3.  At  run-time,  compute  the  values  of  features  for  the  input,  and  evaluate  the  rule:  r(f  i,  /2,  •  •  •  ,  fk) 
is  the  selected  algorithm. 

In  the  next  section,  we  present  an  approach  based  on  the  above  framework  to  automatically  selecting 
between  the  SD  and  Direct  Boolean  encoding  algorithms. 


6.2  Learning-Based  Approach 

Applying  the  above  learning-based  approach  in  our  specific  context  requires  making  two  design 
decisions.  First,  a  suitable  set  of  input  features  must  be  selected.  This  is  addressed  in  Sections  6.2.1 
and  6.2.2.  Second,  a  machine  learning  algorithm  must  be  chosen;  this  is  discussed  in  Section  6.2.3. 
In  addition,  modifications  must  be  made  to  the  Boolean  encoding  algorithm  so  as  to  permit  com¬ 
bining  both  SD  and  Direct  methods  whilst  using  automated  algorithm  selection.  We  discuss  these 
modifications  in  Section  6.2.4. 

6.2.1  Complexity  of  Counting  Transitivity  Constraints 

Our  first  task  is  to  pick  a  feature  of  the  input  formula  that  best  characterizes  the  run-times  of  the 
SD  and  Direct  algorithms.  We  observed  in  Section  6.1.1  that  the  Direct  algorithm  outperforms 
SD  when  the  Direct  encoding  phase  completes.  Thus,  a  predictor  of  the  run-time  of  the  Direct 
encoding  phase  is  a  natural  choice  of  formula  feature.  The  best  predictor  of  the  Direct  encoding 
time  is  the  number  of  transitivity  constraints. 
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Unfortunately,  the  following  result  shows  that  the  number  of  transitivity  constraints  is  not  a  suitable 
formula  feature. 

Theorem  6.1  A  polynomial-time  algorithm  for  counting  the  number  of  transitivity  constraints  can¬ 
not  exist. 

Proof:  The  proof  is  by  contradiction.  Suppose  a  polynomial-time  algorithm  A  does  exist. 

Every  transitivity  constraint  involving  three  variables  involves  the  addition  of  an  edge  to  the  con¬ 
straint  graph,  if  it  did  not  already  exist.  We  show  that  A  must  keep  track  of  (i.e.,  maintain  at  least 
one  bit  of  storage  for)  every  new  edge  added  to  the  constraint  graph.  As  illustrated  in  Example  3.4, 
the  number  of  new  edges  added  at  a  node  elimination  step  can  be  exponential  in  the  size  of  the 
original  formula  (the  starting  constraint  graph  for  Example  3.4  is  reproduced  in  Figure  6.3,  for  con¬ 
venience).  This  implies  that,  in  the  worst-case,  A  performs  exponentially  many  writes,  which  is  a 
contradiction. 


n  —  1 


Figure  6.3:  Exponential  blow-up  of  Direct  encoding,  revisited 

Suppose  A  does  not  keep  track  of  every  newly  added  edge.  Consider  the  graph  in  Figure  6.3.  We 
observe  that: 

1.  There  arc  nk  paths  of  distinct  weight  between  k  adjacent  vertices. 

2.  Each  new  edge  that  is  added  in  the  Direct  encoding  algorithm,  as  a  result  of  eliminating 
some  vertex  v^,  accumulates  the  weights  of  edges  on  a  distinct  path  between  a  subset  of 
adjacent  vertices  containing  vt . 

3.  Every  newly  added  edge  is  generated  by  applying  the  transitivity  rule  to  a  unique  pair  of 
previously  existing  edges,  and  this  procedure  continues  until  only  two  vertices  remain. 
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Thus,  if  the  edge  e  missed  by  A  was  added  at  the  i 1  h  node  elimination  step,  A  will  fail  to  record  the 
nn  2  new  edges  that  arc  generated  transitively  from  e.  In  other  words,  the  count  maintained  by 
A  will  fall  short  of  the  correct  count  by  at  least  rin  1  2. 

Thus,  A  must  keep  track  of  every  newly  added  edge,  implying  that  a  polynomial-time  algorithm  for 
counting  the  number  of  transitivity  constraints  cannot  exist.  □ 

6.2.2  Feature  Selection 

The  hardness  of  counting  transtivity  constraints,  expressed  in  Theorem  6.1,  implies  that  we  must 
look  for  other  formula  features  to  base  the  algorithm  selector  on. 

Four  features  were  selected  for  the  results  reported  here.  The  features  and  the  rationale  for  selecting 
them  arc  as  follows: 

1.  to,  the  number  of  difference  constraints:  Constraint  graphs  with  very  few  edges  (bounded  by 
a  small  constant)  are  likely  to  generate  few  transitivity  constraints. 

2.  n,  the  number  of  variables:  The  rationale  is  similar  to  that  for  to. 

3.  f:  This  ratio  is  the  average  number  of  edges  per  vertex.  If  a  vertex  has  a  large  number  of 
both  incoming  and  outgoing  edges,  eliminating  it  is  likely  to  generate  many  new  edges. 

4.  This  ratio  is  the  average  number  of  edges  per  node -pair,  and  is  a  measure  of  the  density 
of  the  graph. 

Thus,  each  difference  logic  formula  is  represented  by  a  corresponding  feature  vector  (to,  n,  f.  ^). 

Note  that  all  four  features,  by  themselves,  are  not  perfect  predictors  of  the  number  of  transitivity 
constraints.  For  example,  if  the  starting  constraint  graph  is  a  directed  acyclic  graph  (DAG),  elimi¬ 
nating  vertices  in  a  topologically  sorted  order  will  result  in  no  edges  being  added,  even  if  to  is  very 
large.  There  is  also  no  formal  reason  why  this  set  of  features  is  adequate.  The  only  justification  of 
our  choice  is  the  experimental  validation  presented  in  Section  6.3. 

A  major  advantage  of  our  choice  of  features  is  that  they  are  computable  in  low-degree  polynomial 
time.  In  the  absence  of  ITE  expressions,  all  four  features  arc  exactly  computable  in  linear  time,  by 
performing  a  scan  of  the  formula.  However,  if  ITE  expressions  arc  present,  it  is  preferable  not  to 
eliminate  them  since  the  elimination  step  itself  can  lead  to  an  exponential  blow-up.  Therefore,  we 
instead  estimate  to  by  performing  a  cross-product  operation  at  each  relational  operator.  A  detailed 
description  of  this  operation  arc  deferred  to  Section  6.2.4. 
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6.2.3  Machine  Learning  Technique 

The  choice  of  a  machine  learning  technique  depends  on  the  domain  and  range  of  the  function  to  be 
learnt.  In  our  situation,  we  wish  to  learn  a  binary-valued  decision  function  r(m,  n.  Fj)  such  that 

mm  jl  if  Direct  must  be  selected 
r(m,n,  — ,  —A  =  <  (6.1) 

n  n  ^0  if  SD  must  be  selected 

The  domain  of  the  decision  function  r  is  Z  x  Z  x  Rx  R.  A  particularly  suitable  technique  for  learning 
a  binary  function  of  numerical  parameters  is  the  support  vector  machine  [157].  Given  a  set  of  points 
in  R"  with  some  points  labeled  0  (negative  examples)  and  some  labeled  1  (positive  examples), 
a  support  vector  machine  (SVM)  attempts  to  find  the  “best  possible”  separation  of  the  negative 
examples  and  the  positive  examples.  In  the  simplest  case,  the  examples  are  linearly  separable, 
and  the  generated  separator  is  a  linear  function  defining  the  half-space  of  R”  in  which  the  positive 
examples  lie.  However,  in  practice,  examples  are  not  usually  linearly  separable  and  the  data  can  also 
be  noisy.  The  real  strength  of  SVMs  lies  in  their  ability  to  learn  non-linear  separators  that  optimally 
separate  the  examples  (for  a  suitable  definition  of  optimality).  The  key  idea  is  to  project  the  points 
into  a  higher  dimensional  space  in  which  an  optimal  linear  separator  can  be  found. 

Further  details  on  SVMs  arc  outside  the  scope  of  this  thesis.  We  refer  the  interested  reader  to 
Christopher  Burges’  tutorial  on  the  subject  [35]. 

In  our  context,  an  SVM  learner  is  used  as  follows.  First,  we  generate  feature  vectors  for  a  set  of 
training  examples,  viz.,  a  set  of  formulas  used  to  learn  a  decision  rule.  The  SVM  learner  is  applied 
to  the  resulting  set  of  feature  vectors  to  obtain  a  decision  rule.  Note  that  this  process  of  learning 
is  off-line.  Second,  given  a  new  formula  to  decide,  the  learned  decision  rule  is  used  to  classify  it 
according  to  Equation  6.1. 

Details  on  the  SVM  implementation  we  used  are  discussed  in  Section  6.3. 

6.2.4  Hybrid  Encoding  Algorithm 

The  choice  between  SD  and  Direct  encoding  algorithms  is  local ,  made  separately  for  each  variable 
class.  Since  a  difference  logic  formula  typically  corresponds  to  several  variable  classes,  making 
local  decisions  based  on  the  learned  decision  rule  r  leads  to  a  hybrid  encoding  algorithm. 

Figure  6.4  re-defines  difference  logic  syntax  for  easy  reference  in  this  section. 

Given  a  difference  logic  formula  F(i/tjj .  the  hybrid  encoding  algorithm  generates  an  equi-satisfiable 
Boolean  formula  F),00;  in  the  following  six  steps. 


1.  Generate  variable  classes.  Let  V  denote  the  set  of  variables.  We  start  by  assigning  each 
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bool-expr  true  |  false  |  bool-var  |  -< bool-expr  \  { bool-expr  V  bool-expr ) 

|  {bool-expr  A  bool-expr)  \  (int-expr  —  int-expr)  \  (int-expr  <  int-expr) 
int-expr  xy  \  int-expr  +  b  \  JTE(bool-expr.  int-expr.  int-expr ) 

Figure  6.4:  Difference  logic  syntax,  revisited,  x^,  0  <  i  <  n,  and  b  denote  an  integer  variable  and 
constant  respectively. 

variable  to  its  own  class.  We  then  compute  the  dependency  set  for  each  term  in  F^g,  denoting 
some  subset  of  variables  in  V  to  which  this  term  could  evaluate.  While  doing  this,  some  of 
the  classes  arc  merged  so  that  each  dependency  set  is  a  subset  of  some  class.  For  term  T  =  Xi, 
its  dependency  set  is  {xi}.  For  term  T  =  Ty  -\-  b.  its  dependency  set  is  the  same  as  that  of 
Ty.  For  T  A  ITE(F.  Ty .  T2),  its  dependency  set  is  the  union  of  those  of  Ty  and  T2.  If  the 
dependency  sets  of  T\  and  T-2  are  subsets  of  two  distinct  classes,  then  we  merge  those  classes. 
For  each  equation  Ty  —  T2  and  each  inequality  Ty  <  T2,  we  perform  a  similar  merging  if 
the  dependency  sets  of  Ty  and  T2  arc  subsets  of  distinct  classes.  Let  Vy . . . .  ,  Vk  be  the  K 
different  variable  classes  generated  by  this  procedure. 

2.  Generate  ground  terms.  A  ground  term  is  an  expression  of  the  form  Xi  +  b,  viz.,  an  integer 
offset  from  a  variable.  We  transform  the  formula  to  generate  ground  terms  by  repeatedly 
applying  the  following  rewrite  rules  until  a  fixed  point  is  reached. 

T  +  0  -A  T 

(T  +  by)  +  b2  ->•  T  +  {by  +  b2 ) 

ITE{F,  Ty,  T2)  +  b  ->•  ITE{F:  Ty  +  b,  T2  +  6) 

At  this  point,  the  terms  at  the  leaves  of  the  formula  (viewed  as  a  expression  graph)  consist 
only  of  ground  terms. 

3.  Compute  solution  bounds  for  each  variable  class.  Recall  from  Remark  3.1  in  Section  3.2 
that  the  solution  bound  dt  for  a  variable  class  Vt  with  n,  variables  is  given  by 

Tlj  —  1 

di  —  \hit  +  1l 
3= 1 

where  b,  { .  bvi . . . .  ,  bln  ]  arc  the  n%  —  1  largest  constants  appealing  in  constraints  correspond¬ 
ing  to  class  Vy . 

The  quantity  rii  is  easily  computable,  but  computing  the  constants  takes  a  little  more  work 
due  to  the  presence  of  ITE  expressions.  The  constants  arc  computed  as  follows.  For  each 
equation  Ty  —  T2  and  each  inequality  Ty  <  T2  corresponding  to  class  Vt.  we  find  the  set  of 
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ground  terms  G{T\)  and  G(T2 )  that  L\  and  T2  can  evaluate  to,  respectively.  This  is  done 
by  modifying  the  algorithm  for  computing  the  dependency  set  (described  above)  to  include 
ground  terms  in  addition  to  variables.  For  every  pair  {xkx  +  bf Cl ,  xk2  +  bk2 )  in  the  cross  product 
G(T\ )  x  G(T2),  where  k,\  7^  k 2,  we  compute  the  constant  term  \bkl  ~  bk2 1  +  1.  The  n,  —  1 
largest  such  terms  are  recorded,  and  used  for  computing  dt . 

Given  dj,  we  obtain  the  length  S,  of  the  bit- vector  required  to  encode  each  variable  in  class 
Vi. 


4.  Compute  an  upper  bound  on  the  number  of  difference  constraints  for  each  class.  For 

each  of  the  classes  Vt,  we  compute  an  upper  bound  diffenti  on  the  number  of  difference 
constraints  m, .  This  is  done  as  follows.  Initially,  diffenti  —  0,  for  each  class  Vt .  Then,  for 
each  equation  T\  —  T2  and  each  inequality  T\  <  T2  corresponding  to  Vt,  we  find  the  set  of 
ground  terms  G{T\)  and  G(T2)  that  T\  and  T2  can  evaluate  to,  respectively.  For  every  pair 
(fi,f2)  in  the  cross  product  G{T\ )  x  G(T2)  that  has  not  been  encountered  yet,  and  where  t\ 
and  t-2  arc  distinct  from  each  other,  we  increment  diffenti  by  1- 

Note  that  diffenti  is  an  uPPer  bound  on  to,;  because  we  count  constraints  that  disappear-  after 
eliminating  ITEs,  e.g.,  counting  {x\.  x-2)  at  the  node  ITE(F.  x \ .  j;2)  —ITE(-iF ,  j;2.  x\  ). 


5.  Perform  hybrid  encoding.  At  this  point,  we  have  all  the  information  we  need  to  encode  the 
difference  logic  formula  into  a  Boolean  formula. 

The  algorithm  proceeds  by  recursing  on  the  formula  structure.  A  Boolean  variable  retains  the 
same  encoding.  For  a  node  / 1  A  /2  (or  /1  V  /2),  we  recursively  encode  the  subexpressions 
/1,  /2  and  conjoin  (or  disjoin)  the  results.  Similarly,  -1  fi  is  evaluated  by  encoding  / 1  and 
negating  the  result.  The  more  interesting  cases  involve  equation  or  inequalities. 

For  each  equation  T\  —  T2  or  an  inequality  L\  <  T2,  we  find  the  class  14  which  contains  the 
variables  that  appeal-  in  G'(Ti)  and  G(T2). 

We  then  evaluate  the  S  VM  classifier  for  14 .  The  result  of  the  classifier  for  14  is 


r{diffcntk,nk , 


diffcntk 

nk 


diffcntk 


n  t 


) 


Note  that  the  classifier  has  to  be  evaluated  only  once  for  each  variable  class. 

If  the  classifier  returns  0,  then  we  encode  T),  T2  using  the  SD  method.  The  encodings  of  7) 
and  T2  are  symbolic  bit- vectors  of  size  Sk.  Bitwise  equality  or  comparison  is  used  to  translate 
a  relational  operator  to  a  Boolean  expression.  The  arithmetic  operations  +  and  —  are  encoded 
using  binary  arithmetic,  and  ITE  expressions  are  encoded  as  multiplexors. 

Otherwise,  if  the  classifier  returns  1,  we  use  the  Direct  method  to  encode  T\  and  T2,  using 
the  technique  proposed  by  Bryant  et  al.  [29].  Suppose  rl\  evaluates  to  a  ground  term  fjt  under 
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the  condition  cj,  and  T-2  evaluates  to  gj  under  cj.  For  example,  the  term  ITE(F ,  x j .  X'j) 
evaluates  to  X2  under  -> F.  The  encoding  of  the  predicate  T\  m  T2,  where  MG  {=,  <},  is 
given  by  A  cj  A  ,  where  e^.  g.  is  a  symbolic  Boolean  constant  to  encode  the 

constraint  gt  m  gj. 

6.  Generate  Ff,00[.  Let  F))Var  denote  the  formula  obtained  by  performing  the  hybrid  encoding 
on  Ffiqj .  We  generate  the  conjunction  Ftmns  °f  all  transitivity  constraints  for  predicates  in 
Ffiqj  encoded  using  the  Direct  method.  The  final  Boolean  formula  FiX)0[  is  then  generated 

as  ( Ffrans  - k  F/jvar). 

Hereafter,  the  hybrid  encoding  algorithm  will  be  denoted  as  Hybrid. 


6.3  Experimental  Evaluation 

The  Hybrid  encoding  algorithm  was  implemented  in  UCLID.  We  report  her  on  experiments  com¬ 
paring  Hybrid  with  the  SD  and  Direct  encoding  methods.  We  also  report  comparisons  with 
CVC-Lite  [13,48]  (the  latest  version  at  the  time  of  writing),  a  publicly-available  SAT-based  de¬ 
cision  procedure  that  is  sound  and  complete  for  integers.  CVC-Lite  is  the  successor  to  SVC,  the 
Stanford  Validity  Checker  [12]. 

The  experimental  setup  was  identical  to  that  used  in  Section  6. 1 . 1 ;  we  used  the  same  49  benchmarks, 
the  zChaff  SAT  solver,  and  the  same  platform  and  timeout  (3600  sec.)  settings. 

Implementation  of  Hybrid 

The  implementation  of  Hybrid  exactly  follows  the  algorithm  described  in  Section  6.2.4.  The  only 
remaining  details  concern  our  use  of  SVM  learning. 

We  used  a  publicly  available  package  called  SVM-Light  [83,  151].  About  one-third  of  the  formulas 
(17  out  of  49)  were  used  as  a  training  set.  For  each  of  these  formulas,  we  ran  both  SD  and  Direct 
encoding  algorithms.  If  the  Direct  encoding  algorithm  ran  out  of  memory  on  a  formula,  we 
marked  it  as  a  negative  example;  if  not,  we  marked  it  as  a  positive  example.  The  input  to  SVM- 
Light  comprised  the  labeled  feature  vectors  corresponding  to  these  training  examples.  Note  that  the 
m  values  in  the  feature  vectors  were  computed  exactly,  since  we  ran  the  Direct  encoding  algorithm 
which  eliminates  ITE  expressions  as  a  first  step.  The  only  preprocessing  step  applied  to  the  feature 
vectors  before  running  the  SVM-Light  learner  on  them  was  to  scale  all  features  to  be  of  the  same 
order  by  multiplying  by  a  constant  (for  our  case,  in  and  around  the  range  [0, 1]),  as  recommended 
by  Hsu  et  al.  [79].  This  is  to  avoid  larger- valued  features  (such  as  m)  dominating  smaller  ones  (such 


6.3.  EXPERIMENTAL  EVALUATION 


87 


as  and  also  to  avoid  numerical  computation  errors.  We  used  SVM-Light  to  learn  a  non-linear 
separator  by  choosing  a  degree-three  polynomial  kernel  with  unit  coefficients. 

Results 

Figure  6.5  shows  a  scatterplot  comparing  the  total  run-time  (encoding  +  SAT)  of  the  SD  method  to 
that  for  the  FIybrid  method.  The  format  of  this  plot  is  identical  to  those  in  Figures  6.1  and  6.2. 
We  observe  that  Hybrid  outperforms  SD  on  almost  all  benchmarks,  including  one  on  which  SD 
times  out  while  Hybrid  completes  within  about  2  minutes.  There  is  one  benchmark  on  which  both 
Hybrid  and  SD  fail  to  complete  within  the  timeout;  this  is  an  example  on  which  neither  SD  nor 
Direct  complete  due  to  the  time  taken  by  the  SAT  solver.  There  arc  a  few  benchmarks  on  which 
SD  outperforms  Hybrid,  but  both  run-times  arc  either  very  close  or  on  the  order  of  a  few  seconds. 


Total  Time  for  Hybrid  (sec.) 


Figure  6.5:  Comparing  SD  and  Hybrid  encoding  methods.  Note  the  log  scales  on  both  axes. 

Figure  6.6  shows  the  comparison  of  Hybrid  with  Direct.  Again  we  see  that  Hybrid  outperforms 
Direct  on  the  majority  of  formulas,  including  11  on  which  Direct  times  out  while  Hybrid 
finishes.  There  arc  also  two  examples  on  which  Direct  outperforms  Hybrid  by  about  a  factor 
of  four  and  on  which  both  methods  take  longer  than  a  minute.  The  reason  for  Direct’s  superior 
performance  on  these  benchmarks  is  to  due  to  misclassification  by  the  SVM  learner,  which,  in  turn, 
is  likely  because  the  set  of  features  is  inadequate  to  fully  characterize  the  number  of  transitivity 
constraints. 

Figure  6.7  compares  Hybrid  with  CVC-Lite.  CVC-Lite  terminates  within  the  timeout  on  19  of  the 
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Figure  6.6:  Comparing  Direct  and  Hybrid  encoding  methods.  Note  the  log  scales  on  both 
axes. 

49  benchmarks.  Hybrid  outperforms  CVC-Lite  on  all  but  8  benchmarks,  on  all  of  which  Hybrid 
terminates  within  a  minute.  These  8  benchmarks  are  all  conjunctions  of  atomic  predicates  which 
requires  CVC-Lite  to  only  make  a  single  call  to  its  ground  decision  procedure  that  solves  a  system 
of  difference  constraints  using  Fourier-Motzkin  elimination.  On  the  remaining  11  benchmarks  on 
which  CVC-Lite  terminates,  we  can  see  that  Hybrid  sometimes  outperforms  CVC-Lite  by  over  a 
factor  of  1000. 

In  summary,  the  improvement  of  Hybrid  over  Direct  is  due  to  reduction  in  the  number  of  tran¬ 
sitivity  constraints,  while  the  improvement  over  SD  is  due  to  reduced  SAT  time.  We  have  also 
demonstrated  that  Hybrid  can  greatly  outperform  a  state-of-the-art  procedure  such  as  CVC-Lite. 


6.4  Discussion 

We  presented  a  novel  hybrid  Boolean  encoding  method  for  difference  logic,  making  two  main  con¬ 
ceptual  contributions.  First,  we  demonstrated  the  complementary  strengths  of  the  SD  and  Direct 
encodings  and  showed  how  they  can  be  combined.  Second,  we  showed  how  machine  learning  can  be 
used  to  automatically  select  between  the  two  encoding  algorithms  based  on  past  examples.  Experi¬ 
mental  results  demonstrate  the  robustness  of  the  resulting  Hybrid  method  to  variations  in  formula 
characteristics. 

The  work  in  this  chapter  is  just  a  first  step  towards  automated  algorithm  selection  in  the  context 
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Figure  6.7:  Comparing  CVC-Lite  and  the  Hybrid  encoding  method.  Note  the  log  scales  on 
both  axes. 

of  decision  procedures,  in  general,  and  for  SAT-based  procedures,  in  particular.  There  arc  many 
directions  for  future  work. 

The  problem  of  misclassification  and  feature  selection  need  further  study.  The  feature  set  can  be 
expanded,  and  techniques  for  feature  subset  selection  [50]  can  be  employed.  Other  methods  for 
learning  a  binary  function  of  numerical  inputs,  such  as  logistic  regression  [78],  deserve  further 
exploration. 

Although  the  number  of  transitivity  constraints  cannot  be  counted  exactly  in  polynomial  time,  there 
is  still  the  possibility  of  finding  an  approximation  algorithm.  A  somewhat  related  problem,  that  of 
counting  the  number  of  cycles  in  a  directed  graph,  has  been  proved  to  be  hard  to  approximate  to  a 
1  +  e  factor  [82],  This  problem  appeal's  to  be  related  since  the  goal  of  adding  transivity  constraints 
is  to  ensure  that  the  constraint  graph  corresponding  to  a  satisfying  assignment  does  not  contain  a 
positive  weight  cycle.  The  implications  of  the  hardness  result  for  counting  transivity  constraints  are, 
however,  unclear. 


Chapter  7 


Extended  Logic  and  Applications 


The  decision  procedures  described  in  this  thesis  arc  implemented  in  a  verification  system  called 
UCLID.  The  logic  underlying  UCLID  includes  not  only  linear  arithmetic  over  integers,  but  also  two 
other  logical  constructs,  viz.,  uninterpreted  functions  and  a  restricted  form  of  lambda  expressions. 
These  additional  constructs  arc  very  useful  in  modeling  a  variety  of  both  hardware  and  software 
systems. 

The  first  half  of  this  chapter  describes  the  extensions  to  the  logic  and  the  corresponding  extensions  to 
UCLID ’s  decision  procedures.  In  the  second  half,  we  describe  the  verification  techniques  available 
in  UCLID,  for  which  the  decision  procedures  form  the  computational  engine.  We  also  illustrate 
how  one  of  these  techniques,  bounded  model  checking,  has  proved  useful  in  analyzing  software  for 
a  class  of  security  bugs  known  as  format-string  vulnerabilities. 


7.1  Extended  Logic 

Figure  7.1  gives  the  syntax  for  the  extended  logic  that  includes  the  following  three  theories: 

1 .  Uninterpreted  functions 

2.  Quantifier-free  Presburger  arithmetic 

3.  Restricted  lambda  expressions  (these  can  be  used  to  express  arrays,  for  example) 

Expressions  in  the  extended  logic  arc  of  four  different  types.  As  before,  two  of  the  types  arc  Boolean 
and  integer.  Boolean  expressions,  or  formulas,  yield  true  or  false.  Integer  expressions,  also  referred 
to  as  terms,  yield  integer  values.  Predicate  expressions  denote  functions  from  integers  to  Boolean 
values.  Function  expressions,  on  the  other  hand,  denote  functions  from  integers  to  integers. 
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bool-expr 


int-expr 


predicate-expr 

function-expr 


true  |  false  |  -i bool-expr  |  { bool-expr  A  bool-expr )  |  ( bool-expr  V  bool-expr ) 


n  n 

|  dj  •  int-expr  ■  —  b)  |  aj  •  int-expr  j  <  b ) 

3=l  j=l 

|  predicate-expr  {int-expr, . . .  ,  int-expr ) 

int-var  \  b  \  int-expr  +  int-expr  \  a  •  int-expr 

|  ITE(bool-expr,  int-expr ,  int-expr ) 

|  function-expr  {int-expr, . . .  ,  int-expr ) 

predicate-symbol  \  A  int-var, . . .  ,  int-var  .  bool-expr 

function-symbol  \  A  int-var, . . .  ,  int-var  .  int-expr 


Figure  7.1:  Expression  syntax  for  extended  UCLID  logic.  Expressions  can  denote  computations 
of  Boolean  values,  integers,  or  functions  of  integers  yielding  Boolean  values  or  integers,  aj  and  b 
denote  integer  constants. 

The  simplest  Boolean  expressions  are  the  values  true  and  false.  Boolean  expressions  can  also  be 
formed  as  a  linear  equation  or  inequality  over  integer  expressions,  by  applying  a  predicate  expres¬ 
sion  to  a  list  of  integer  expressions,  and  by  combining  Boolean  expressions  using  Boolean  connec¬ 
tives.  Relational  and  Boolean  operators  not  shown  in  the  figure  can  expressed  in  terms  of  those 
employed. 

Integer  expressions  can  be  integer  variables,  used  only  as  the  formal  arguments  of  lambda  expres¬ 
sions,  or  an  integer  constant  (note  the  difference  here  with  the  syntax  used  earlier  in  the  thesis).  They 
can  also  be  formed  by  combining  integer  expressions  with  the  operators  (interpreted  functions)  for 
lineal-  arithmetic,  by  applying  a  function  expression  to  a  set  of  integer  expressions,  or  by  applying 
the  ITE  (“if-then-else”)  operator. 

Function  expressions  can  be  either  function  symbols,  representing  uninterpreted  functions,  or  lambda 
expressions,  defining  the  value  of  the  function  as  an  integer  expression  containing  references  to  a 
set  of  argument  variables.  Function  symbols  of  arity  zero  are  also  called  symbolic  constants.  They 
denote  arbitrary  integer  values,  and  play  the  same  role  in  this  chapter  as  integer  variables  (denoted 
xf)  in  previous  chapters.  Since  these  symbols  are  instantiated  without  any  arguments,  we  will  omit 
the  parentheses,  writing  /  instead  of  /(). 

Similarly,  predicate  expressions  can  be  either  predicate  symbols,  representing  uninterpreted  predi¬ 
cates,  or  lambda  expressions,  defining  the  value  of  the  predicate  as  a  Boolean  expression  containing 
references  to  a  set  of  argument  variables.  Predicate  symbols  of  arity  zero  are  also  called  symbolic 
Boolean  constants.  They  denote  arbitrary  Boolean  values,  and  play  the  same  role  as  Boolean  vari- 
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ables  in  previous  chapters.  We  will  also  omit  the  parentheses  following  the  instantiation  of  such  a 
predicate. 

Notice  that  we  restrict  the  parameters  to  a  lambda  expression  to  be  integers,  and  not  function  or 
predicate  expressions.  There  is  no  way  in  our  logic  to  express  any  form  of  iteration  or  recursion. 

An  integer  variable  x  is  said  to  be  bound  in  expression  E  when  it  occurs  inside  a  lambda  expression 
for  which  x  is  one  of  the  argument  variables.  We  say  that  an  expression  is  well-fanned  when  it 
contains  no  unbound  variables.  The  value  denoted  by  a  well-formed  expression  is  defined  relative  to 
an  interpretation  I  of  the  function  and  predicate  symbols.  Interpretation  I  assigns  to  each  function 
symbol  of  arity  k  a  function  from  7Lk  to  Z,  and  to  each  predicate  symbol  of  arity  k  a  function 
from  7Lk  to  {true,  false}.  Given  an  interpretation  I  of  the  function  and  predicate  symbols  and  a 
well-formed  expression  E,  we  can  define  the  valuation  of  E  under  I,  denoted  [E\j,  according  to  its 
syntactic  structure.  The  valuation  of  E  is  either  a  Boolean  value,  an  integer,  a  function  from  integers 
to  Boolean  values,  or  a  function  from  integers  to  integers,  according  to  whether  E  is  a  Boolean 
expression,  an  integer  expression,  a  predicate  expression,  or  a  function  expression,  respectively.  We 
omit  the  details.  A  well-formed  formula  F  is  true  under  interpretation  I  if  [F]j  is  true.  It  is  valid 
when  it  is  true  under  all  possible  interpretations. 

Note  that  our  logic  is  quantifier-free.  It  is  well-known  that  adding  quantifiers  to  even  the  sub-logic 
of  uninterpreted  functions  and  equality  results  in  undecidability  [19,  65]. 

We  now  show  how  the  newly  added  logical  constructs  can  be  used  for  modeling  a  range  of  hardware 
and  software  constructs. 

7.1.1  Uninterpreted  Function  Symbols 

Uninterpreted  functions  and  predicates  satisfy  no  particular  property  other  than  functional  consis¬ 
tency,  viz.,  that  they  evaluate  to  the  same  value  on  the  same  arguments.  Functional  consistency  is 
formalized  in  the  theory  of  uninterpreted  functions  as  the  congruence  axiom.  This  axiom  is  stated 
below  for  an  arbitrary  uninterpreted  function  symbol  /  of  arity  k : 

VxiUXi2  ,  ■■■  ■,Xik,X21-lX22i  ■■  ■  i  X2k  '■ 

{xU  =  X21  A  Xi2  =  X22  A  .  .  .  A  Xlk  =  x2k)  =>  f(x  11,  ^12,  ■  •  •  ,  Xlk)  =  f{x2 1,^22,  ■  ■  ■  ,  X2k) 

(7.1) 

Uninterpreted  functions  and  predicates  arc  used  in  hardware  verification  to  abstract  word-level  val¬ 
ues  of  data  and  implementation  details  of  functional  blocks.  Similarly,  in  software  analysis,  op¬ 
erators  for  non-linear  functions  such  as  multiplication  and  division  can  be  abstracted  using  unin¬ 
terpreted  functions.  In  addition,  uninterpreted  functions  and  predicates  arc  particularly  useful  in 
modeling  data  access  functions,  such  as  array  and  memory  operations. 
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Uninterpreted  functions  arc  useful  when  comparing  two  systems  for  behavioral  equivalence,  such 
as  a  specification  and  its  implementation.  This  is  because  using  the  same  function  symbol  in  a 
symmetric  way  in  the  two  systems  ensures  that  it  will  return  the  same  values  when  applied  to  equal 
arguments.  For  example,  one  successful  use  of  the  UCLID  system  is  in  the  verification  of  pipelined 
microprocessor  designs,  where  a  pipelined  implementation  is  compared  with  an  instruction  set  ar¬ 
chitecture  (ISA)  model  [89].  Similarly,  in  software  analysis,  uninterpreted  functions  find  use  in 
applications  such  as  translation  validation  [123],  where  two  program  fragments  arc  checked  for 
behavioral  equivalence. 

7.1.2  Lambda  Expressions 

Lambda  expressions  arc  extremely  useful  in  modeling  data  structures.  In  this  section,  we  give  a  few 
representative  examples.  We  use  a  record  notation  to  represent  data  structures  that  arc  characterized 
by  multiple  expressions. 

Memories 

Lambda  notation  allows  us  to  model  the  effect  of  a  sequence  of  read  and  write  operations  on  a 
memory  (the  select  and  update  operations  on  an  array).  At  any  point  of  system  operation,  a  memory 
is  represented  by  a  function  expression  M  denoting  a  mapping  from  addresses  to  values  (for  an  array, 
the  mapping  is  from  indices  to  values).  The  initial  state  of  the  memory  is  given  by  an  uninterpreted 
function  symbol  mo  indicating  an  arbitrary  memory  state.  The  effect  of  a  write  operation  with 
integer  expressions  A  and  D  denoting  the  address  and  data  values  yields  a  function  expression  M'\ 

M'  —  A  addr  .  ITE(addr  —  A,  D,  M(addr)) 

Reading  from  array  M  at  address  A  is  simply  yields  the  function  application  M(A). 

Multi-dimensional  memories  or  arrays  arc  easily  expressed  in  exactly  the  same  way.  Moreover, 
lambda  expressions  can  express  parallel-update  operations,  which  express  the  result  of  updating 
multiple  memory  locations  in  a  single  step.  This  is  particularly  relevant  for  hardware,  and  can  also 
be  used  in  modeling  concurrent  software.  For  instance,  to  express  the  result  of  resetting  to  zero  all 
memory  locations  that  have  negative  values,  we  can  write 

M'  -  X  a  .  ITE(M(a)  <  0,  0,  M(a)) 

The  ability  to  model  the  select  and  update  array  operations  raises  a  natural  question  about  whether 
the  lambda  notation  introduced  in  this  section  is  more  (or  less)  expressive  than  the  standard  non- 
extensional  theory  of  arrays  [34, 1 10].  In  fact,  these  two  theories  are  incomparable,  for  the  following 


reasons: 
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1.  The  standard  theory  of  arrays  cannot  model  parallel-update  operations.  As  we  have  shown, 
these  can  be  easily  expressed  with  our  lambda  notation. 

2.  The  standard  theory  of  arrays  allows  two  arrays  to  be  compared  for  equality.  Formally,  such 

a  comparison  between  arrays  Mi  and  M-2  can  be  written  as  Since  our 

logic  is  quantifier-free  (with  implicit  universal  quantification  on  all  symbols  at  the  top  level), 
such  a  comparison  can  only  be  made  when  it  appears  in  the  formula  under  an  even  number  of 
negations,  by  applying  both  arrays  to  a  fresh  symbol  that  is  universally  quantified  at  the  top 
level. 

Other  forms  of  memory  can  be  modeled  as  well  using  lambda  expressions.  For  example,  we  can 
model  a  Content  Addressable  Memory  (CAM)  that  stores  associations  between  keys  and  data.  We 
represent  a  CAM  C  at  any  point  in  the  system  operation  by  two  expressions:  a  predicate  expression 
C. present  such  that  C .present(k)  is  true  for  any  key  k  that  is  stored  in  the  CAM,  and  a  function 
expression  C .data,  such  that  C.data(k)  yields  the  data  associated  with  key  k,  assuming  the  key  is 
present.  As  an  initial  state  in  invariant  checking  we  can  represent  a  CAM  C  having  an  arbitrary  state 
by  letting  C .present  —  po  and  C .contents  —  Co,  where  po  (respectively,  co)  is  an  uninterpreted 
predicate  (resp.,  function). 

Insertion  into  a  CAM  is  expressed  by  the  operation  Insert  (C,  K  .D).  This  operation  yields  a  new 
CAM  C'  where: 


C' . present  —  X  key  .  key  —  K  V  C .present  {key) 

C' .data  —  Xkey  .  ITE{key  =  iF,  D,  C.data(key)) 

On  the  other  hand,  the  effect  of  deleting  the  entry  associated  with  key  K  is  expressed  by  the  opera¬ 
tion  Delete(C ,  K ).  This  operation  yields  a  new  CAM  C'  where 

C' .present  —  Xkey  .  ~>(key  —  K)  A  C .present(key) 

C' .data  —  C.data 

Ordered  Data  Structures 

We  show  how  an  ordered  data  structure,  such  as  a  queue,  can  be  modeled  using  lambda  notation  and 
lineal-  arithmetic. 

A  queue  of  arbitrary  length  can  be  modeled  as  a  record  Q  having  components  Q .contents,  Q.head, 
and  Q.tail.  Conceptually,  the  contents  of  the  queue  are  represented  as  some  subsequence  of  an 
infinite  sequence,  where  Q. contents  is  a  function  expression  mapping  an  integer  index  i  to  the 
value  of  sequence  element  i.  Q.head  is  an  integer  expression  indicating  the  index  of  the  head  of  the 
queue,  i.e.,  the  position  of  the  oldest  element  in  the  queue.  Q.tail  is  an  integer  expression  indicating 
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the  index  at  which  to  insert  the  next  element.  In  general,  we  require  Q.head  <  Q.tail  as  an  invariant 
property.  Q  is  modeled  as  having  an  arbitrary  state  by  letting  Q. contents  —  Co,  Q.head  —  ho,  and 
Q.tail  —  to,  where  Co  is  an  uninterpreted  function  and  ho  and  to  are  symbolic  constants  satisfying 
the  constraint  ho  <  to-  This  constraint  is  enforced  by  including  it  in  the  antecedent  of  the  formula 
whose  validity  we  wish  to  check. 

The  operation  testing  if  the  queue  is  empty  can  be  expressed  quite  simply  as: 

isEmpty(Q)  —  ( Q.head  —  Q.tail ) 

Using  this  operation  we  can  define  the  following  three  operations  on  the  queue: 

1.  Pop(Q):  The  pop  operation  on  an  non-empty  queue  returns  a  new  queue  Q'  with  the  first 
element  removed;  this  is  modeled  by  incrementing  the  head. 

Q' .head  —  ITE(isEmpty(Q):  Q.head ,  Q.head  +  1) 

2.  First (Q):  This  operation  returns  the  element  at  the  head  of  the  queue,  provided  the  queue  is 
non-empty.  It  is  defined  as  Q . contents (Q .head) . 

3.  Push(Q ,  X)\  Pushing  data  item  X  into  0  returns  a  new  queue  Q'  where 

Q'.tail  —  Q.tail  +  1 

Q' . contents  —  Xi  .  ITE(i  —  Q.tail,  X,  Q . contents (i)) 

Assuming  we  start  in  a  state  where  ho  <  to,  Q.head  will  never  be  greater  than  Q.tail  because  of 
the  conditions  under  which  we  increment  the  head. 

Bounded  length  queues  can  be  similarly  expressed,  with  an  additional  constraint  in  the  case  of  the 
push  operation  disallowing  a  push  when  the  queue  is  full.  In  particular,  to  bound  a  queue  to  a 
maximum  length  of  k  (where  k  is  an  integer,  not  a  symbolic  constant),  we  add  the  condition  for 
pushing  that  Q.tail  is  incremented  only  when  Q.tail  <  Q.head  +  k. 

Partially  Interpreted  Functions 

We  noted  earlier  that  non-linear  arithmetic  operations  can  be  abstracted  using  uninterpreted  func¬ 
tions.  Lambda  expressions  allow  us  to  assign  a  partial  interpretation  to  such  operations. 

For  instance,  for  integer  multiplication,  we  can  express  the  property  that  the  constant  1  is  the  multi¬ 
plicative  identity  and  0  is  the  annihilator,  by  defining  multiplication  as  follows: 

mul  —  \  i,j.  ITE(i  —  0  V  j  =  0,  0,  ITE(i  —  1,  j,  ITE(j  —  1,  i,  mult(i ,  j)))) 
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Here  the  uninterpreted  function  mult  is  the  default  in  case  none  of  the  special  cases  arc  matched. 

The  use  of  such  partially  interpreted  functions  can  reduce  the  imprecision  that  abstraction  of  non¬ 
linear  operators  introduces. 

7.2  Decision  Procedure  Extensions 

Given  a  formula  Fuci  in  the  extended  logic  of  UCLID,  we  decide  its  validity  by  performing  a 
satisfiability-preserving  translation  to  a  Boolean  formula  Ff,00i  in  a  single  step,  and  then  invoking  a 
SAT  solver  on  FiX)0{ .  The  translation  operates  in  three  steps: 

1 .  All  lambda  expressions  arc  eliminated,  resulting  in  a  formula  Fnorm . 

2.  Function  and  predicate  applications  of  non-zero  arity  arc  eliminated  to  get  a  formula  Fani,h  ■ 

3.  Formula  Farnh  is  in  quantifier-free  Presburger  arithmetic.  We  translate  Fantj,:  to  an  equi- 
satisfiable  Boolean  formula  Ft>00[  using  the  methods  described  in  Chapters  3-6. 

A  brief  description  of  the  first  two  steps  of  translation  follows.  Details  on  eliminating  function 
applications  arc  outside  the  scope  of  this  thesis  and  can  be  found  in  earlier  work  [2, 29]. 

7.2.1  Elimination  of  Lambda  Expressions 

Recall  that  the  extended  logic  syntax  does  not  permit  recursion  or  iteration.  Therefore,  each  lambda 
application  in  Fuci  can  be  expanded  by  beta-substitution ,  i.e.,  by  replacing  each  argument  variable 
with  the  corresponding  argument  term.  Denote  the  resulting  formula  by  Fnorm . 

This  step  can  result  in  an  exponential  blow-up  in  formula  size.  Suppose  that  all  expressions  in  our 
logic  arc  represented  as  directed  acyclic  graphs  (DAGs)  so  as  to  share  common  sub-expressions. 
Then,  the  following  example  shows  how  we  can  get  an  exponential-sized  DAG  representation  of 
Fn0rm  starting  from  a  linear-sized  DAG  representation  of  Fuci . 

Example  7.1  Let  Fuci  be  defined  recursively  by  the  following  set  of  expressions: 

Fuel  =  P{Li{b)) 

Lx  =  A x  .  fi{L2(x),L2{gi(x))) 

L-2  =  Xx .  f2{L3(x),L3(g2(x))) 

Ln—l  —  ^  tC  .  fn  l{Ln{x)i  Ln(gn—  \  (a?))) 

Lp.  — 


9n 
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Notice  that  the  representation  of  Fuc\  is  linear  in  n.  Suppose  we  perform  beta-substitution  on 
The  sub-expression  L\{b)  gets  transformed  to  j\{L-2{b).  X-iCdi  (&))).  Next,  if  we  expand  L-2,  we 
get  four  applications  of  X3,  viz.,  L^{b),L^{gi{b)),L^{g2{b))^andL^{g2{gi{b))).  Notice  that  there 
were  originally  only  two  applications  of  X3. 

Continuing  the  elimination  process,  after  k  —  1  elimination  steps,  we  will  get  2 k  1  distinct  appli¬ 
cations  of  Xfc.  This  can  be  formalized  by  observing  that  after  k  —  1  steps  each  argument  to 
is  comprised  of  applications  of  functions  from  a  distinct  subset  of  V({giO‘2-,  ■  ■  ■  Ok  [})■  Thus, 
after  all  lambda  elimination  steps,  Fnorm  will  contain  2”  1  distinct  applications  of  gn,  and  hence  is 
exponential  in  the  size  of  Fuci .  □ 

In  practice,  however,  we  have  never  encountered  this  exponential  blow-up.  This  is  because  the 
recursive  structure  in  most  lambda  expressions,  including  those  for  memory  operations,  tends  to  be 
lineal-.  For  example,  here  is  the  lambda  expression  corresponding  to  the  result  of  the  memory  write 
operation: 

A  addr  .  ITE(addr  —  A,  £>,  M(addr)) 

Notice  that  the  “recursive”  use  of  M  occurs  only  in  one  of  the  branches  of  the  ITE  expression. 

7.2.2  Elimination  of  Function  and  Predicate  Applications 

The  second  step  in  the  transformation  to  a  Boolean  formula  is  to  eliminate  applications  of  function 
and  predicate  symbols  of  non-zero  arity.  These  applications  are  replaced  by  symbolic  constants 
(integer  or  Boolean,  as  the  case  may  be),  but  only  after  encoding  enough  information  to  maintain 
functional  consistency. 

There  are  two  different  techniques  of  eliminating  function  (and  predicate)  applications.  The  first  is 
a  classic  method  due  to  Ackermann  [2]  that  involves  creating  sufficient  instances  of  the  congruence 
axiom  (as  stated  in  Equation  7. 1).  The  second  is  a  recent  technique  introduced  by  Bryant  et  al.  [29] 
that  exploits  the  polarity  of  equations  and  is  based  on  the  use  of  ITE  expressions.  We  briefly  review 
each  of  these  methods. 

Ackermann ’s  method 

We  illustrate  Ackermann’s  method  using  an  example. 

Suppose  that  function  symbol  /  has  three  occurrences:  /(a  1),  /(a^)-  and  /(as).  First,  we  generate 
three  fresh  symbolic  constants  xj  1 ,  xf2,  and  xf:i  to  replace  all  instances  of  these  applications  in 
Fnorm- 
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Then,  the  following  set  of  functional  consistency  constraints  for  /  is  generated: 

al  —  a2  =>  Xf  i  =  Xf  2 
ai  =  a3  =>  s/i  =  x/3 
02  =  a3  =>  x/2  =  x/3 

In  a  similar  fashion,  functional  consistency  constraints  arc  generated  for  each  function  and  predicate 
symbol  in  Fnorm.  Denote  the  conjunction  of  all  these  constraints  by  Fcong.  Then,  Far,lth  is  the 
formula  Fcong  V  Fnorm. 

Bryant  et  al.’s  method 

The  function  elimination  method  proposed  by  Bryant  et  al.  exploits  a  property  of  function  appli¬ 
cations  called  positive  equality.  The  general  idea  is  to  determine  the  polarity  of  each  equation  in 
the  formula,  i.e.,  whether  it  appeal's  under  an  even  (positive)  or  odd  (negative)  number  of  negations. 
Applications  of  uninterpreted  functions  can  then  be  classified  as  either  p-function  applications,  i.e., 
used  only  under  positive  equalities,  or  g-function  applications,  i.e.,  general  function  applications 
that  appeal'  under  other  equalities  or  under  inequalities.  The  p-function  applications  can  be  encoded 
in  propositional  logic  with  fewer  Boolean  variables  than  the  g-function  applications,  thus  greatly 
simplifying  the  resulting  SAT  problem.  We  omit  the  details. 

In  order  to  exploit  positive  equality,  Bryant  et  al.  eliminate  function  applications  using  a  nested 
series  of  ITE  expressions.  As  an  example,  if  function  symbol  /  has  three  occurrences:  f(a i), 
/(a2),  and  /(a3),  then  we  would  generate  three  new  symbolic  constants  xf  1,  xf2,  and  xf:i.  We 
would  then  replace  all  instances  of  f(a i)  by  xf1,  all  instances  of  f(a2)  by  ITE(a2  =  ai,  xf1:  xf2), 
and  all  instances  of  f(a 3)  by  ITE(a 3  =  ai,  x/l5  ITE(a 3  =  a2,  xf  2.  xf3)).  It  is  easy  to  see  that  this 
preserves  functional  consistency. 

Predicate  applications  can  be  removed  by  a  similar  process.  In  eliminating  applications  of  some 
predicate  p,  we  introduce  symbolic  Boolean  constants  xp11  xp2. .... 

Function  and  predicate  applications  in  the  resulting  formula  F’arttt  are  all  of  zero  arity. 

7.2.3  Summary 

We  conclude  this  section  with  observations  on  the  worst-case  blow-up  in  formula  size  in  going  from 
the  stalling  formula  Fciu  to  the  quantifier-free  Presburger  formula  Fanth  ■  The  lambda  elimination 
step  can  result  in  a  worst-case  exponential  blow-up.  In  going  from  the  lambda-free  formula  Fnorm 
to  Farith ,  the  worst-case  blow-up  is  only  quadratic.  Thus,  if  the  result  of  lambda  expansion  is  linear 
in  the  size  of  Fciu ,  as  is  typically  the  case,  Fanth  is  at  most  quadratic  in  the  size  of  Fciu . 
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7.3  Verification  Techniques  in  UCLID 

UCLID  is  a  tool  for  specifying  and  verifying  systems  modeled  in  the  extended  logic  described  in 
this  chapter.  The  UCLID  system  has  been  publicly  available  on  the  Web  [156]  since  May  2001. 
It  has  been  applied  to  a  range  of  systems,  including  out-of-order,  pipelined,  microprocessor  de¬ 
signs  [89,90,95],  a  complex  load-store  unit  of  an  industrial  microprocessor,  a  cache  coherence 
protocol  [61],  and  analyzing  software  for  security  vulnerabilities  [58].  The  last  application  is  the 
subject  of  Section  7.4. 

Specifying  Infinite-State  Systems  in  UCLID 

The  UCLID  specification  language  can  be  used  to  specify  an  infinite-state  system.  The  state  vari¬ 
ables  can  either  have  one  of  three  primitive  types  —  Boolean,  enumerated,  and  integer  —  or  arc 
functions  of  integer  arguments  that  evaluate  to  one  of  these  primitive  types.  The  initial  (reset)  state 
of  each  state  variable  is  described  by  an  expression  in  the  extended  logic.  The  transition  relation 
is  specified  by  assigning  an  expression  for  computing  the  value  of  a  variable  in  state  i,  given  the 
values  of  variables  in  states  i  —  1  and  i.  Specifically,  the  next  state  of  a  state  variable  is  specified  as 
an  expression  in  the  extended  logic  in  which  references  to  the  values  of  state  variables  in  the  current 
and  next  state  can  appeal-  in  place  of  symbolic  constants.  Details  on  the  specification  language  and 
UCLID  usage  are  given  in  Appendix  A;  we  only  mention  here  that  the  language  was  inspired  by 
and  is  similar  to  that  of  the  CMU  version  of  the  SMV  model  checker  [42, 98]. 

It  is  also  worth  mentioning  one  notable  feature  about  the  internal  encoding  of  enumerated  types  in 
UCLID.  An  enumerated  type  E  oik  values  is  encoded  as  an  integer  sequence  {ze,  ze  +  1, . . .  ,  ze  + 
k  —  1},  where  a  different  symbolic  constant  ze  is  used  for  each  type  E.  The  type  checker  in  the 
UCLID  front-end  enforces  the  restriction  that  variables  of  an  enumerated  type  can  only  be  compared 
for  equality  against  other  variables  of  the  same  enumerated  type.  Thus,  each  enumerated  type  gen¬ 
erates  a  unique  singleton  variable  class  {ze}-  If  the  small-domain  encoding  is  used,  ze  is  encoded 
with  a  constant  bit  encoding.  On  the  other  hand,  if  the  Direct  encoding  is  used,  each  equation 
corresponding  to  an  enumerated  type  gets  reduced  to  either  true  or  false  after  ITE  expressions  are 
eliminated. 

Verification  Techniques 

Figure  7.2  shows  how  the  UCLID  verification  system  is  structured.  The  UCLID  verification  engine 
comprises  two  main  components: 

1.  A  symbolic  simulator  that  can  be  configured  by  the  user  for  different  kinds  of  verification 
tasks. 
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Figure  7.2:  Structure  of  the  UCLID  system 

2.  A  decision  procedure  for  the  extended  logic  described  in  this  chapter. 

In  addition,  there  is  a  front-end  that  includes  a  type  checker,  and  a  back-end  that  translates  the  result 
of  the  decision  procedure  into  an  output  either  stating  that  the  system  satisfies  the  property  being 
verified,  or  giving  a  counterexample  comprising  a  sequence  of  states  showing  how  the  property  is 
violated. 

The  following  verification  methods  arc  supported: 1 

1 .  Bounded  model  checking:  The  system  is  symbolically  simulated  for  a  fixed  number  of  steps, 
specified  by  the  user,  starting  from  a  reset  state.  At  each  step,  the  decision  procedure  is 
invoked  to  check  the  validity  of  a  safety  property.  If  the  property  fails,  UCLID  generates  a 
counterexample  trace  from  the  reset  state. 

2.  Inductive  invariant  checking:  The  system  is  initialized  in  a  most  general  state  satisfying  the 
invariant  to  be  proved.  It  is  symbolically  simulated  for  one  step,  and  the  invariant  is  checked 
on  the  resulting  state  by  the  decision  procedure. 

3.  Proving  commutative  diagrams:  In  this  method,  we  attempt  to  show  that  a  specification  ma¬ 
chine  simulates  an  implementation  machine.  This  includes  the  method  of  correspondence 
checking  for  superscalar  processors,  such  as  in  the  style  of  Burch  and  Dill  [34].  UCLID  al¬ 
lows  the  user  to  set  the  values  of  certain  designated  state  variables  at  different  steps  of  the 
symbolic  simulation.  For  example,  in  verifying  pipelined  processors,  this  allows  the  user  to 
specify  the  steps  at  which  the  pipeline  must  be  flushed. 

UCLID’s  decision  procedure  can  check  the  satisfiability  of  the  Boolean  formula  -> F^i  using  either 
a  BDD  package  or  a  SAT  solver.  We  have  found  SAT  solvers  to  outperform  BDDs  in  all  practical 

*We  only  describe  the  methods  supported  by  the  base  version  of  UCLID.  Shuvendu  Lahiri  has  built  a  predicate 
abstraction-based  verifier  [91]  on  top  of  UCLID,  but  describing  that  tool  is  outside  the  scope  of  this  thesis.  We  only 
mention  that  the  Boolean  encoding  methods  described  in  Chapters  3-7  can  be  used  with  Lahiri’s  work  as  well. 
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applications  explored  thus  far;  however,  we  have  also  encountered  artificially  generated  examples 
on  which  BDDs  outperform  SAT. 

A  very  useful  feature  of  UCLID  is  its  ability  to  generate  counterexample  traces,  like  a  model 
checker.  A  counterexample  to  a  formula  Fuci  in  UCLID’s  logic  is  a  partial  interpretation  I  to 
the  function  and  predicate  symbols  in  the  formula,  which  is  generated  from  a  satisfying  assign¬ 
ment  to  -iFfogi.  If  the  system  has  been  symbolically  simulated  for  k  steps,  then  the  interpretation 
I  generated  above  can  be  applied  to  the  expressions  at  each  step,  thereby  resulting  in  a  complete 
counterexample  trace  for  k  steps. 

Unbounded  model  checking  of  infinite-state  systems  that  can  be  modeled  in  UCLID  is  undecid- 
able  [31]. 


7.4  Case  Study:  Finding  Format-String  Exploits 

Format-string  vulnerabilities  [76, 113]  arc  a  dangerous  class  of  security  bugs  that  allow  an  attacker 
to  execute  arbitrary  code  on  the  victim  machine,  print f  is  a  variable-argument  C  function  that 
treats  its  first  argument  as  a  format-string.2  A  format-string  contains  conversion  specifications , 
which  arc  instructions  that  specify  the  types  that  this  call  on  pr  int  f  expects  for  its  arguments,  and 
instructions  on  how  to  format  the  output.  For  instance,  the  conversion  specification  "  %  s  "  instructs 
pr  int  f  to  look  for  a  pointer  to  a  char  value  as  its  next  argument,  and  print  the  value  at  that  loca¬ 
tion  as  a  string.  When  arg  does  not  contain  conversion  specifiers,  the  statements  print f("%s  ", 
arg)  and  print  f  (arg)  have  the  same  effect.  However,  if  print  f  (arg)  is  used  in  an  application, 
and  a  user  can  control  the  value  passed  to  arg,  then  the  application  may  be  susceptible  to  a  format¬ 
string  vulnerability.  A  possible  fix  for  such  vulnerabilities  is  to  do  a  source-to-source  transformation 
that  replaces  all  occurrences  of  print f (arg)  with  print f("%s"  ,  arg),  but  this  may  not  al¬ 
ways  be  possible,  for  instance  when  the  source  code  of  the  application  is  not  available,  or  when  the 
application  generates  format-strings  dynamically. 

Shankar  et  al.  [140]  have  built  a  tool,  Percent-S,  to  analyze  source  code  and  identify  “tainted” 
format-strings  that  can  be  controlled  by  an  attacker.  Potentially  vulnerable  printf  locations  can 
also  be  identified  in  binary  executables  [76].  However,  the  aforementioned  techniques  do  not  pro¬ 
duce  format-string  exploits,  i.e.,  strings  that  exploit  the  vulnerabilities  they  identify. 

We  present  a  novel  way  to  analyze  and  understand  printf -family  format-string  vulnerabilities. 
The  format-string  can  be  viewed  as  a  sequence  of  commands  that  instructs  printf  to  look  for 
different  types  of  arguments  on  the  application’s  runtime  stack.  We  have  used  UCLID  to  analyze 
potentially  vulnerable  call  sites  to  printf  and  determine  if  an  exploit  is  possible.  If  an  exploit  is 

2While  we  restrict  our  discussion  to  printf,  the  concepts  discussed  apply  to  other  print f-family  functions  as 
well,  e.g.,  syslog,  sprintf. 
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possible,  UCLID  produces  a  format-string  that  demonstrates  the  exploit.  Our  technique  does  not 
require  the  source  code  of  the  application  and  can  analyze  potentially  vulnerable  print  f  locations 
from  binary  executables.  We  have  also  used  UCLID  in  conjunction  with  Percent-S  to  generate 
format-strings  that  exploit  the  vulnerabilities  identified  (see  Section  7.4.3).  Our  discussion  and 
implementation  make  the  following  platform-specific  assumptions,  although  the  technique  applies 
to  other  platforms  as  well: 

1.  We  work  with  the  x86  architecture.  In  particular,  the  runtime  stack  of  an  application  grows  from 
higher  addresses  to  lower  addresses,  and  the  machine  is  assumed  to  be  little-endian. 

2.  The  arguments  to  a  function  arc  placed  on  the  stack  from  right  to  left.  A  call  to  foo(argi, 
arg2)  first  places  arg2  on  the  stack,  followed  by  argi.  This  is  a  popular  C  calling  convention 
implemented  by  several  compilers. 

3.  We  analyze  print  f  from  theglibc-2.3  library. 

7.4.1  Background 

This  section  reviews  the  working  of  print  f  and  describes  how  an  attacker  can  read  from  or  write 
to  an  arbitrary  location. 

Understanding  print f 

Consider  the  code  fragment  shown  in  Figure  7.3.  Procedure  too  accepts  user  input,  which  is  copied 

(1)  int  too  (char  *usrinp)  { 

(2)  char  fmt [LEN] ; 

(3)  int  a,  b; 

(4)  strncpy(fmt,  usrinp,  LEN  -  1); 

(5)  fmt  [LEN  -  1]  =  '  \0'  ; 

(6)  printf (fmt) ; 

(7)  } 

Figure  7.3:  A  procedure  with  a  vulnerable  call  to  printf 

into  the  local  variable  fmt,  a  local  array  of  LEN  characters,  printf  is  then  called  with  fmt  as  its 
argument.  Because  the  first  argument  to  printf  can  be  controlled  by  the  user,  this  program  can 
potentially  be  exploited.  When  printf  is  called  on  line  (6),  the  arguments  passed  to  printf  arc 
placed  on  the  stack,  the  return  address  and  frame  pointer  arc  saved,  and  space  is  allocated  for  the 
local  variables  of  print  f ,  as  shown  in  Figure  7.4(A).  In  this  case,  print  f  is  called  with  a  pointer 
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to  fmt,  which  is  a  local  character  buffer  in  f  oo.  This  pointer  is  shown  as  the  darkly  shaded  region 
in  Figure  7.4(A). 


(A)  (B) 


Figure  7.4:  Runtime  execution  stack  for  the  program  in  Figure  7.3 

As  mentioned  earlier,  print f  assigns  special  meaning  to  the  first  argument  passed  to  it,  and  treats 
it  as  a  format-string.  Any  other  arguments  passed  to  print f  appeal-  at  higher  addresses  than  the 
format-string  on  the  runtime  stack.  In  our  case,  only  fmt  was  passed  as  an  argument,  and  hence 
there  are  no  other  arguments  on  the  runtime  stack. 

The  print f  implementation  internally  maintains  two  pointers  to  the  stack;  we  will  refer  to  these 
pointers  as  FMTPTR  and  ARGPTR.  The  purpose  of  FMTPTR  is  to  track  the  current  formatting  char¬ 
acter  being  scanned  from  the  format-string,  while  ARGPTR  keeps  track  of  the  location  on  the  stack 
from  where  to  read  the  next  argument.  Before  print f  begins  to  read  any  arguments,  FMTPTR  is 
positioned  at  the  beginning  of  the  format-string  and  ARGPTR  is  positioned  just  after  the  pointer  to 
the  format-string  fmt,  as  shown  in  Figure  7.4(A). 

When  print  f  begins  to  execute,  it  moves  FMTPTR  along  format-string  fmt.  Advancing  a  pointer 
makes  it  move  towards  higher  addresses  in  memory,  hence  FMTPTR  moves  in  the  direction  opposite 
to  which  the  stack  grows,  print  f  can  be  in  one  of  two  “modes”.  In  printing  mode,  it  reads  bytes 
off  the  format-string  and  prints  them.  In  argument-capture  mode,  it  reads  arguments  from  the  stack 
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from  the  location  pointed  to  by  ARGPTR.  The  type  of  the  argument,  and  thus  the  number  of  bytes 
by  which  ARGPTR  has  to  be  advanced  as  it  reads  the  argument,  is  determined  by  the  contents  of 
the  location  pointed  to  by  FMTPTR.  As  FMTPTR  and  ARGPTR  move  toward  higher  addresses,  they 
reach  intermediate  configurations,  as  shown  in  Figure  7.4(B).  Note  that  ARGPTR  advances  only  if 
the  contents  of  fmt  causes  print f  to  enter  argument-capture  mode  at  least  once. 

To  take  a  concrete  example,  suppose  that  fmt  is  "Hi%d"  when  printf  is  called  in  Figure  7.3. 
print f  starts  off  in  printing  mode,  and  advances  FMTPTR,  printing  Hi  to  stdout  as  a  result. 
When  FMTPTR  encounters  the  byte  "%",  it  enters  argument-capture  mode.  When  FMTPTR  is  ad¬ 
vanced,  it  points  to  the  byte  "d"  -  which  instructs  printf  to  read  four  bytes  from  the  location 
pointed  to  by  ARGPTR  and  print  the  resulting  value  to  the  terminal  as  an  integer.  This  also  results  in 
ARGPTR  being  advanced  by  four  bytes,  the  size  of  an  integer.  Note  that  no  integer  arguments  were 
explicitly  passed  to  printf  in  Figure  7.3,  hence  instead  of  reading  a  legitimate  integer  value  off 
the  stack,  in  this  case  ARGPTR  reads  the  values  of  local  variables  in  the  stack  frame  of  f  oo.  As  a 
result,  it  is  possible  to  read  the  contents  of  the  stack,  which  may  possibly  contain  values  of  interest 
to  an  attacker,  such  as  return  addresses. 

Format-String  Exploits 

The  key  observation  in  understanding  format-string  exploits  is  that  each  byte  in  the  format-string  is 
an  instruction  to  printf  to  move  FMTPTR  and  ARGPTR  by  an  appropriate  amount,  and  to  interpret 
the  arguments  passed  to  it.  In  the  format-string  exploits  discussed  herein,  the  goal  of  the  attacker 
is  to  control  the  contents  of  the  format-string  in  such  a  way  that  ARGPTR  advances  along  the  stack 
until  it  enters  the  format-string  itself.  By  doing  so,  the  attacker  can  control  the  arguments  read  by 
printf  as  well  as  how  those  arguments  are  interpreted. 

Each  call  to  printf  is  characterized  by  two  parameters,  namely  the  values  DIS  and  LEN  shown 
in  Figure  7.4.  The  format-string  vulnerabilities  we  consider  occur  when  the  format-string  is  a  buffer 
on  the  runtime  stack.  LEN  denotes  the  length  of  this  buffer.  DIS  denotes  the  number  of  bytes  that 
separate  the  pointer  to  the  format-string  from  the  format-string  itself.  Figure  7.4  shows  a  simple 
scenario  where  the  stack  frame  containing  the  format-string  and  the  stack  frame  of  printf  arc  ad¬ 
jacent.  In  general,  they  can  be  separated  by  stack  frames  of  several  intermediate  functions,  resulting 
in  larger  values  of  DIS.  From  the  attacker’s  viewpoint,  ARGPTR  has  to  move  by  at  least  DIS  bytes 
by  the  time  FMTPTR  moves  LEN  —  1  bytes. 

There  arc  two  main  kinds  of  format-string  exploits: 

1.  Read  exploits:  One  of  the  ways  an  attacker  can  print  the  contents  of  memory  at  address 
04030201*  where  04  is  the  most-significant  byte,  is  to  construct  a  format-string  that  satisfies 
the  following  property:  The  format-string  must  move  FMTPTR  and  ARGPTR  such  that  when 
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print  f  is  in  printing  mode  and  FMTPTR  points  to  the  beginning  of  a  "%s  ",  ARGPTR  points 
to  the  beginning  of  a  sequence  of  four  bytes  whose  value  as  a  pointer  is  04030201-  Then, 
when  print f  reads  the  "  %s  ",  it  interprets  the  argument  at  ARGPTR  as  a  pointer  and  prints 
the  contents  of  the  memory  location  specified  by  the  pointer  as  a  string,  which  would  let  the 
attacker  achieve  his  goal. 

2.  Write  exploits:  Another  kind  of  format-string  exploit  allows  an  attacker  to  write  a  value  of 
his  choice  at  a  location  in  memory  chosen  by  him.  To  do  so,  he  makes  use  of  the  "%n" 
feature  provided  by  printf.  When  printf  is  in  printing  mode  and  encounters  a  "%n"  in 
the  format-string,  it  reads  an  argument  off  the  stack,  which  it  interprets  to  be  a  pointer  to  an 
integer.  It  then  writes  to  this  location  the  number  of  bytes  that  have  been  output  by  this  call 
on  printf.  As  the  write  location  is  of  the  attacker’s  choice,  it  could  be  the  return  address 
of  printf,  for  example,  making  printf  return  to  an  attack  script  instead  of  the  function  it 
was  called  from. 

Note  that  the  values  of  the  address  bytes  01,02,03,04  must  be  non-zero,  because  a  zero  value  is 
interpreted  as  '  \  0 ' ,  and  terminates  the  format-string.  For  ease  of  explanation,  we  impose  the 
additional  restriction  that  Oj  7^  "  %  ",  for  i  E  {1, 2,  3, 4}.  If  a,  —  "%  ",  the  address  can  contain  (parts 
of)  a  conversion  specifier.  However,  UCLID  can  also  discover  exploits  where  the  address  04030201 
contains  "%". 

7.4.2  Formal  Specification 

The  main  insight  in  deriving  a  formal  model  of  the  problem  is  to  view  pr  int  f  as  the  system  being 
subverted  and  the  format-string  as  the  input  to  printf  that  is  under  the  attacker’s  control.  We  will 
show  in  this  section  how  printf  can  be  modeled  as  an  infinite-state  system  and  how  the  two  kinds 
of  exploits  described  in  Section  7.4.1  can  be  formalized  as  violations  of  safety  properties. 

Formal  Model  of  printf 

We  can  model  printf  as  an  infinite-state  system  expressible  in  UCLID  with  the  following  three 
components: 

1.  State  Variables:  The  set  of  state  variables  V  is  simply  the  set  of  local  variables  in  the  im¬ 
plementation  of  printf  that  captures  the  current  state.  We  identified  24  local  variables 
(or  “flags”)  with  integer  and  Boolean  values3  by  examining  the  source  code  and  manuals  of 

3In  the  actual  implementation  of  printf.  the  flags  are  C  integer  and  pointer  data  types,  i.e.,  finite-precision  bit- 
vectors.  In  our  model,  flags  that  just  take  two  values,  0  and  1,  are  defined  as  Boolean  variables,  while  the  rest  are  treated 
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print  f.  While  our  implementation  considers  all  these  flags,  for  ease  of  explanation  we  re¬ 
strict  ourselves  to  describing  just  four  flags:  FMTPTR,  ARGPTR,  DONE,  and  lS_LONGLONG. 
FMTPTR  and  ARGPTR  are  pointers  whose  functionality  was  discussed  earlier.  We  shall  treat 
these  as  integer  values.  DONE  is  an  integer  that  counts  the  number  of  bytes  printed,  and 
lS_LONGLONG  is  a  Boolean  variable  that  determines  whether  the  argument  on  the  stack  is  a 
long  long  value  or  not  (a  long  long  int  is  8  bytes  in  length).  In  addition  to  the  local 
variables  in  print f,  V  also  includes  a  variable  MODE  that  models  the  program  counter. 

In  addition  to  the  state  variables  mentioned  above,  we  needed  to  model  the  runtime  stack.  This 
was  modeled  using  an  uninterpreted  function  stack  just  as  illustrated  for  modeling  memories 
in  Section  7.1.2. 

2.  Initial  State:  The  initial  state  of  print  f  is  determined  by  the  initial  values  of  the  flags  in 
V.  We  assume  that  all  addressing  is  relative  to  the  initial  location  of  ARGPTR.  Thus,  the 
assignment  of  initial  values  to  the  four  flags  discussed  here  arc  as  follows:  ARGPTR  =  0, 
FMTPTR  =  DIS,  DONE  =  0,  and  IS_LONGLONG  =  FALSE. 

3.  Transition  Relation:  As  described  earlier,  each  byte  in  the  format-string  is  interpreted  as  an 
instruction  to  printf .  Thus,  the  next  state  of  each  state  variable  is  a  function  of  the  current 
and  next  state  of  other  variables  as  well  as  current  byte  at  the  stack  location  pointed  to  by 
FMTPTR.  For  each  variable,  the  next  state  function  involves  several  cases,  far  too  many  to  be 
listed  here.  We  will  therefore  just  illustrate  how  one  of  the  256  possible  values  of  the  current 
entry  in  the  format-string  buffer  affects  the  next  state  values  of  the  four  variables  highlighted 
here. 

Consider  the  effect  of  reading  the  character  '%' .  If  printf  is  in  printing  mode  (deter¬ 
mined  by  the  value  of  MODE),  FMTPTR  is  incremented,  and  print  f  enters  argument-capture 
mode.  If  printf  is  in  argument-capture  mode,  then  FMTPTR  and  DONE  arc  incremented, 
and  printf  enters  printing  mode  (corresponds  to  printing  a  "%"  to  stdout).  Formally, 
[(MODE  =  printing)  —>  (FMTPTR'  =  FMTPTR  +  1)  A  (MODE'  =  argument-capture)]  A  [(MODE 
=  argument-capture)  ->  (fmtptr'  =  fmtptr  +  1)  A  (done'  =  done  +  1)  A  (mode'  =  print¬ 
ing)],  where,  following  customary  notation,  primed  variables  denote  next-state  values  of  the 
corresponding  variables. 

The  model  of  printf  described  above  was  manually  extracted  from  the  glibc-2 . 3  source  code. 

All  arithmetic  operations  performed  by  printf  arc  expressible  as  linear  arithmetic  operators. 

as  (unbounded)  integers.  While  this  approach  achieves  efficiency  by  raising  the  level  of  abstraction,  it  does  not  model 

integer  overflow,  and  may  lead  to  imprecision. 
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Safety  Property  Formulation 

Each  kind  of  format-string  exploit  is  formalized  using  a  predicate  we  shall  denote  by  Bad.  This 
predicate  is  a  formula  on  the  elements  of  V  in  UCLID’s  logic;  viz.,  it  involves  quantifier-free  Pres- 
burger  arithmetic,  uninterpreted  functions,  and  the  theory  of  memories. 

Figure  7.5  shows  the  values  of  the  predicate  Bad  for  the  read-exploit  and  write-exploit  described  in 
Section  7.4.1. 


(A)  Bad  for  Read  Exploit 

(B)  Bad  for  Write  Exploit 

[fmtptr  <  DIS  +  (FEN  -  1)  -  1] 

[fmtptr  <  DIS  +  (FEN  -  1)  -  1] 

A  [argptr  >  DIS] 

A  [argptr  >  DIS] 

A  [argptr  <  DIS  +  (FEN  -  1)  -  4] 

A  [argptr  <  DIS  +  (FEN  -  1)  -  4] 

A  [* FMTPTR  =  '%'] 

A  [*FMTPTR  =  '%'] 

A  [*(FMTPTR  +  1)  =  's'] 

A  [*(FMTPTR  +  1)  =  'n'] 

A  [*  ARGPTR  =  Oi] 

A  [* ARGPTR  =  Oi] 

A  [*(ARGPTR  +  1)  =  a2] 

A  [*(ARGPTR  +  1)  =  a2\ 

A  [* (argptr  +  2)  =  a3] 

A  [*  (argptr  +  2)  =  a3] 

A  [* (argptr  +  3)  =  a4] 

A  [*  (argptr  +  3)  =  a4] 

A  [mode  =  printing] 

A  [done  =  writeval] 

A  [mode  =  printing] 

Figure  7.5:  The  predicate  Bad  used  for  read  and  write  exploits.  We  use  the  notation  *PTR  as  a 
short-form  for  stack{ PTR). 

Note  the  following  two  points  about  the  entries  in  Figure  7.5: 

1.  The  little-endianness  of  the  machine  is  reflected  in  the  formulation  of  Bad:  bytes  arc  arranged 
from  most-significant  to  least-significant  as  addresses  decrease;  for  example,  a  \  appeal's  at  a 
lower  address  than  04. 

2.  Symbolic  values  of  different  stack  locations,  such  as  those  at  FMTPTR  and  ARGPTR,  appeal'  in 
Bad,  and  show  the  need  to  track  stack  contents  precisely. 


Verification  Method 


We  chose  to  use  the  bounded  model  checking  capabilities  of  UCFID,  checking  at  each  step  whether 
the  predicate  Bad  is  satisfied.  If  so,  the  counterexample  generated  by  UCFID  is  directly  translated 
to  a  format-string  that  demonstrates  the  exploit.  At  each  call-site  to  print f,  we  only  need  to 
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examine  format-strings  of  length  less  than  or  equal  to  LEN— 1  (we  exclude  the  terminating  '\0' ). 
Hence,  a  bound  of  LEN— 1  suffices  to  make  bounded  model  checking  complete  at  that  call-site; 
i.e.,  a  print  f  location  deemed  safe  using  our  tool  with  the  bound  LEN— 1  will  indeed  be  safe  with 
respect  to  class  of  exploits  being  checked. 

7.4.3  Results 

Given  the  UCLID  model  for  print f  constructed  as  described  in  Section  7.4.2  and  the  predicate 
Bad  for  a  family  of  exploits,  the  only  remaining  details  are  the  values  of  DIS  and  LEN.  Note 
that  these  values  arc  the  only  details  that  arc  specific  to  the  software  being  analyzed.  The  values 
of  DIS  and  LEN  for  each  print f  call  arc  obtained  by  disassembling  the  binary  executable  of 
the  application  that  calls  printf,  and  examining  the  call  graph  and  the  sizes  of  stack  frames  of 
relevant  functions. 

In  this  section,  we  describe  the  results  obtained  by  analyzing  the  UCLID  model  for  a  range  of  values 
of  DIS  and  LEN,  both  for  toy  models  and  for  real  software  packages. 

Analysis  for  a  range  of  values  of  DIS  and  LEN 

Ligure  7.6  shows  some  examples  of  read-exploits  produced  by  the  tool  for  various  values  of  DIS 
and  LEN.  Lor  instance,  line  (3)  shows  that  the  format-string  "aia20304%d%s  "  can  be  used  to  read 
the  contents  of  memory  at  04030201  when  DIS  and  LEN  arc  4  and  16,  respectively.  The  exploit 
proceeds  as  follows:  initially  FMTPTR  points  to  the  format-string,  and  ARGPTR  is  4  smaller  than 
FMTPTR.  printf  starts  execution  in  printing  mode;  it  advances  FMTPTR  and  prints  the  bytes  ai, 
02,  03,  and  04  to  stdout.  When  printf  reads  the  '%' ,  it  advances  FMTPTR  by  one  and  enters 
argument-capture  mode.  When  it  reads  'd' ,  it  advances  FMTPTR  by  one,  reads  an  integer  (4  bytes) 
from  the  location  pointed  to  by  ARGPTR,  prints  this  integer  to  stdout,  and  returns  to  printing 
mode.  As  a  result  ARGPTR  points  to  the  beginning  of  the  format-string,  and  FMTPTR  is  positioned  at 
the  beginning  of  the  sequence  "%s".  When  printf  processes  the  "%s",  the  contents  of  memory 
at  location  04030201  are  printed  to  stdout. 

We  make  a  few  more  observations  on  the  entries  in  Ligure  7.6: 

1.  In  line  (2),  the  tool  is  able  to  infer  that  an  exploit  is  not  possible.  Intuitively,  this  is  because  the 
format-string  is  too  small  to  contain  a  sequence  of  commands  that  carry  out  the  exploit. 

2.  Lines  (3)  and  (4)  present  two  format-strings  for  the  same  parameters.  We  achieved  this  by  first 
observing  case  (3),  and  running  the  tool  again,  appending  a  suitable  term  to  Bad  to  exclude 
case  (3).  This  technique  can  be  iterated  to  infer  as  many  valiants  of  this  exploit  as  desired. 

Ligure  7.6  also  gives  examples  of  write-exploits,  where  the  integer  234  is  to  be  written  to  memory 
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Sl.no. 

DIS 

LEN 

Read  exploit 

Write  exploit 

Exploit  string  discovered 

Time  (sec.) 

Exploit  string  discovered 

Time  (sec.) 

(1) 

0 

7 

"aia2(i3a4%s" 

No  exploit  possible. 

0.3 

(2) 

4 

7 

No  exploit  possible. 

No  exploit  possible. 

0.3 

(3) 

4 

16 

"aia2«3«4%d%s" 

0.4 

"%234Lg%naia2a3a4  " 

4.8 

(4) 

4 

16 

"%Lx%ld%saia2a3a4  " 

1.0 

"aia2a3a4%%%22  9X%n" 

13.1 

(5) 

8 

16 

"ai(l2«3«4%Lx%S  " 

0.9 

"aia2«3«4%2  30g%n" 

22.2 

(6) 

16 

16 

"%Lg%Lg%saia2a3d4  " 

1.1 

"aia2a3<i4%137g%93g%n" 

106.5 

(7) 

20 

20 

"aia2a3a4%Lg%g%s  " 

5.3 

"aia2«3a4%210Lg%2  0g%n" 

148.7 

(8) 

24 

20 

"aia2«3«4%Lg%Lg%s  " 

2.1 

"aia2«3a4%61Lg%169Lg%n" 

204.2 

(9) 

32 

24 

"aia2«3a4%g%Lg%Lg%s  " 

13.5 

"aia2«3a4%7  8Lg%80g%7  2Lg%n" 

343.5 

Figure  7.6:  Some  format-string  exploits  generated  by  UCLID.  For  the  write  exploit,  we  chose  to 
write  the  integer  234  to  the  memory  location  with  a  specific  address  04030201- 

address  04030201.  Consider  line  (5)  for  instance;  for  the  values  8  and  16  for  DIS  and  LEN,  respec¬ 
tively,  the  tool  inferred  the  format-string  "aiO2O3a4%230g%n".  When  printf  starts  execution, 
it  is  in  printing  mode,  and  ARGPTR  is  8  bytes  below  FMTPTR  on  the  stack.  As  FMTPTR  moves  along 
the  format-string,  ai,  02,  03,  and  04  (4  bytes)  arc  printed  to  stdout,  thus  incrementing  DONE  by 
4.  The  next  byte  "%"  increments  FMTPTR  by  1  byte  and  forces  printf  into  argument-capture 
mode.  The  next  3  bytes,  '2' ,  '3'  and  '0'  arc  treated  as  a  width  parameter,  and  printf  stores 
the  value  230  in  an  internal  flag  WIDTH  (part  of  V  for  printf).  When  printf  processes  the 
next  byte,  'g' ,  it  advances  ARGPTR  by  8  bytes,  reads  a  double  value  from  the  stack,  prints  this 
value  (appropriately  formatted)  to  stdout,  increments  DONE  by  the  value  of  WIDTH,  and  returns 
to  printing  mode.  At  this  point,  ARGPTR  points  to  the  beginning  of  the  format-string,  whose  first 
four  bytes  contain  01020304.  DONE  is  234,  and  FMTPTR  points  to  the  beginning  of  the  sequence 
"%n".  When  printf  processes  "%n",  the  value  of  DONE  is  written  to  04030201,  completing  the 
exploit. 

The  execution  times  shown  in  Figure  7.6  were  obtained  on  a  machine  with  an  Intel  Pentium-4 
processor  running  at  2GHz,  with  1GB  of  RAM,  running  Redhat  Linux-7.2.  For  these  experiments, 
UCLID  used  the  Siege  SAT  solver  [142].  All  runs  completed  within  a  few  minutes.  As  a  general 
trend,  the  time  taken  increases  as  LEN  increases,  although  not  monotonically.  The  reason  is  that 
for  larger  values  of  LEN,  it  is  necessary  to  run  the  bounded  model  checker  UCLID  for  more  steps, 
leading  to  a  larger  formula  for  it  to  check;  the  largest  formulas  were  Boolean  combinations  of  several 
thousand  linear  constraints  over  about  a  hundred  integer  variables.  Note  also  that  the  time  taken  for 
finding  read  exploits  is  much  lower  than  that  for  finding  write  exploits.  This  is  because  finding  a 
write  exploit  involves  solving  a  more  constrained  problem  than  for  the  read  exploit:  In  addition  to 
finding  a  sequence  of  conversion  specifications  that  moves  ARGPTR  into  the  format-string,  one  needs 
to  find  associated  width  values  that  add  up  to  the  desired  value  (234  in  Ligure  7.6).  Lurthermore, 
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the  length  of  this  sequence  can  be  at  most  LEN— 1  (of  course,  this  holds  for  read  exploits  as  well). 

Optimizations 

In  our  model  of  printf,  each  byte  in  the  format-string  requires  one  step  of  execution.  As  an 
optimization  we  can  augment  the  model  so  that  more  than  one  character  is  processed  at  a  time.  For 
example,  we  could  augment  the  model  so  that  the  group  of  three  characters  "%Lg"  moves  FMTPTR 
by  3  bytes,  ARGPTR  by  12  bytes,  and  reads  a  long  double  value.  Similarly,  aggregated  groups 
of  characters  can  include  conservative  width  specifiers;4  e.g.,  "  %60Lg"  increments  DONE  by  60  in 
addition  to  changing  the  other  flags  as  described  above.  Augmenting  the  model  in  this  way  does  not 
affect  soundness  because  we  retain  all  previously  modeled  behavior.  Thus,  all  the  format-strings 
that  UCLID  could  previously  generate  can  still  be  generated.  It  is  an  optimization  because  longer 
strings  can  potentially  be  found  with  fewer  iterations  of  bounded  model  checking. 

Comparison  with  existing  tools 

To  demonstrate  the  effectiveness  of  our  tool,  we  compared  it  with  Percent-S  [140],  a  tool  that  an¬ 
alyzes  source  code  using  type-qualifiers  [57]  to  identify  “tainted”  (i.e.,  user-controlled)  inputs  that 
could  potentially  be  used  as  format-strings.  We  report  on  two  experiments  here:  the  first  show¬ 
ing  how  we  can  reduce  the  false  alarm  rate,  and  the  second  showing  how  we  can  confirm  a  true 
vulnerability  by  generating  an  exploit. 

Consider  the  program  in  Figure  7.3.  When  compiled  on  our  machine,  the  value  of  DIS  is  28  bytes. 
Irrespective  of  the  value  of  FEN,  the  size  of  the  buffer  fmt,  Percent-S  reports  that  the  printf 
statement  on  line  (6)  is  exploitable.  Clearly,  small  values  of  LEN  preclude  the  possibility  of  attack. 
As  a  result,  Percent-S  produces  false  alarms,  because  it  does  not  account  for  the  values  of  the 
parameters  DIS  and  LEN. 

On  the  other  hand,  using  our  model  of  print  f ,  we  were  able  to  infer  that  a  read-exploit  (similar  to 
the  one  reported  earlier)  is  not  possible  unless  LEN  is  at  least  15  bytes,  and  a  write-exploit  (to  write 
the  integer  234)  is  not  possible  unless  LEN  is  at  least  20  bytes.  In  each  of  these  cases,  our  analysis 
produces  a  format-string  that  demonstrates  the  exploit,  while  Percent-S  does  not. 

We  also  used  the  tool  to  analyze  known  format-string  vulnerabilities  in  software  packages;  Fig¬ 
ure  7.1  has  the  details,  php-3 . 0 . 16  is  a  language-processor  for  the  widely-used  web-scripting 
language  php,  qpopper-2 . 53  is  a  POP3  mail  server,  and  wu-ftpd-2 . 6 . 0  is  a  popular  file- 
transfer  daemon.  We  explain  in  detail  the  exploit  against  wu-ftpd-2 . 6 . 0;  the  others  are  similar. 

4The  number  of  bytes  printed  is  the  maximum  of  the  width  specifier  and  that  needed  to  precisely  represent  the  output; 
so  the  width  specifier  must  be  conservatively  large. 
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No. 

Software 

DIS 

LEN 

Exploit 

Exploit  string  discovered 

(1) 

php-3 .0.16  [45] 

24 

1024 

Write  Oxbf  f  f  8cc3  to 

Oxbf  f  f  88c3  (04 030201) 

"OiO2O3O4%36000Lg%31Lg%n" + 

"  ?&i&2&3&4%13000Lg%lllg%nn 

(2) 

qpopper~2 . 53  [132] 

2120 

1024 

Read  contents 

at  Oxbf  f  f  88c3  (040302(11) 

("%Lg")240  +  ("?")62  + 

"  %Ld%Ld%d%d%soi020304  " 

(3) 

wu-ftpd-2 .6.0  [154] 

9364 

4096 

Write  Oxbfffbcab  to 

Oxbf  f  f  88c3  (04030201) 

"01 020304%  9  9qbi  626364  "  + 

("%60Lg")778  +  "  %912g%600Lg%n%852X%n" 

Table  7.1:  Exploits  generated  against  vulnerabilities  in  real-world  software  packages.  "?" 

represents  a  non-zero  non-%  ASCII  character.  The  address  64636264  is  04030201  +  2. 

Percent-S  correctly  identified  the  location  of  the  vulnerability  in  wu-ftpd-2 .6.0,  but  did  not 
produce  a  format-string  demonstrating  the  exploit.  The  value  of  DIS  and  LEN  for  this  example 
were  9364  and  4096,  respectively,  which  we  obtained  by  disassembling  the  binary  executable.  For 
these  values  of  DIS  and  LEN,  we  checked  whether  the  attacker  could  perform  the  following  ex¬ 
ploit:  The  attacker  uses  the  buffer  that  stores  the  format-string  to  additionally  store  malicious  code, 
and  then  overwrites  the  return  address  in  the  stack  frame  of  print f  using  a  write  exploit  so  as  to 
point  to  the  beginning  of  the  malicious  code  sequence  instead.  We  assumed  that  the  return  address 
to  be  overwritten  is  at  the  stack  location  0xbfff88c3,  and  that  the  malicious  code  is  located  at 
the  address  Oxbfffbcab,  13288  bytes  above  (and  hence  located  within  the  buffer  that  stores  the 
format-string).  These  address  values  are  easily  read  off  the  stack  using  another  exploit,  as  explained 
in  Section  7.4.1.  Because  the  value  to  be  written  is  fairly  large,  we  used  a  valiant  of  the  predicate 
Bad  that  allows  for  writing  to  a  single  address  using  multiple,  slightly  misaligned  writes  of  smaller 
values.  (Details  on  doing  such  misaligned  writes  can  be  found  in  [113, 154].) 

Because  the  values  of  DIS  and  LEN  are  quite  large,  we  had  to  use  the  optimizations  described  in 
Section  7.4.3.  We  were  able  to  infer,  in  about  10  minutes,  a  format-string  that  is  the  concatenation  of 
the  following  three  strings:  A  prefix  'Vr  ia2«o«4%99g6|  Mts&i ",  a  middle  paid  ("%60Lg")778  consist¬ 
ing  of  778  repetitions  of  group  of  characters  ”%60Lg”,  and  a  suffix  "%912g%600Lg%n%852X%n", 
where  04030201  is  0xbfff88c3  and  64636264  =  04030204  +  2.  It  can  be  verified  that  this  string 
writes  the  desired  value  to  the  desired  location.  One  write  is  performed  by  each  "%n":  the  first 
writes  Oxbcab  to  04030204  and  the  second  writes  Oxbf  f  f  to  64636261 . 

Existing  format-string  exploit  generators  attempt  to  construct  format  strings  from  fixed  conversion 
specifiers.  For  instance,  Thuemmel  [154]  constructs  format-strings  with  the  "% .  8x"  conversion 
specifier  as  the  only  building  block.  As  a  result,  these  techniques  lack  soundness:  there  may  be 
exploit  strings  outside  the  space  of  strings  explored  by  these  tools.  By  doing  an  exhaustive  search 
of  the  state  space,  our  technique  guarantees  soundness  within  our  model  of  print  f.  In  addition, 
existing  tools  arc  incapable  of  rinding  valiants  of  an  exploit.  As  demonstrated  in  lines  (3)  and  (4)  of 
Figure  7.6,  our  technique  can  be  used  to  discover  valiants  of  an  exploit  for  the  same  values  of  DIS 
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and  LEN. 

7.5  Summary 

This  chapter  extended  quantifier-free  Presburger  arithmetic  with  uninterpreted  functions  and  re¬ 
stricted  lambda  expressions.  The  resulting  logic,  which  forms  the  underlying  logic  for  the  UCLID 
verification  system,  is  expressive  and  the  eager  approach  to  translating  to  SAT  can  be  easily  extended 
to  it.  We  have  demonstrated  the  practical  applicability  of  UCLID  by  applying  it  to  the  analysis  of 
format-string  vulnerabilities  and  the  generation  of  exploit  strings  for  real  software  packages. 


Part  II 

Model  Checking  Timed  Systems 


Chapter  8 


Quantified  Difference  Logic 


Quantified  difference  logic  (QDL)  is  the  logic  obtained  by  extending  difference  logic  with  universal 
and  existential  quantifiers.  QDL  has  applications  in  model  checking  timed  systems,  expressed,  for 
example,  as  timed  automata  [3, 5],  since  the  fundamental  model  checking  operations  arc  expressible 
in  QDL. 

Formally,  a  QDL  formula  u  is  generated  by  the  following  grammar: 

uj  |  -iw  |  uq  A  u;2  |  uq  V  W2  |  Bx.uj  |  3 e.u;  |  Vrc.cu  |  Ve.w  (8.1) 

We  will  denote  real-valued  variables  by  x.  jq.xq. . . . ,  Boolean  variables  by  e,  ei,  e2,  •  •  ■ ,  and  real¬ 
valued  constants  by  c,  ci,  C2, . . . .  As  before,  xq  denotes  a  special  vaiiable  representing  the  constant 
0.  The  symbol  (f>  denotes  an  arbitrary  difference  logic  formula  over  Boolean  and  real-valued  vari¬ 
ables.  Unlike  in  Chapters  3-7,  Boolean  and  reals  arc  the  only  primitive  data  types.  We  will  also  not 
employ  the  ITE  construct. 

We  will  denote  QDL  formulas  by  w.uq.xq.  ■  ■  •  ■  The  satisfiability  problem  for  QDL  is  known  to  be 
PSPACE-complete  [86]. 

In  this  chapter,  we  show  how  to  perform  operations  in  QDL  using  Boolean  methods.  The  general 
strategy  is  to  transform  the  problem  of  eliminating  quantifiers  on  real-valued  variables  to  one  of 
eliminating  quantifiers  on  Boolean  variables.  Specifically,  given  a  QDL  formula  u  with  quantifiers 
over  real-valued  variables,  we  transform  it  to  an  equivalent  QDL  formula  utbooi  that  has  quanti¬ 
fiers  only  over  Boolean  variables.  These  quantifiers  can  then  be  eliminated  using  standard  Boolean 
techniques  (e.g.,  [33,99])  that  arc  based  on  Binary  Decision  Diagrams  (BDDs)  or  Boolean  satisfi¬ 
ability  (SAT)  solvers.  Compared  to  previous  quantifier  elimination  approaches,  ours  has  the  twin 
advantages  of  leveraging  previous  work  on  finite-state  model  checking  as  well  as  avoiding  the  need 
to  enumerate  terms  in  the  Disjunctive  Normal  Form  (DNF)  of  the  quantifier-free  portion  of  the 
formula.  Moreover,  for  a  special  class  of  QDL  formulas  occurring  in  model  checking  of  timed 
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automata,  the  transformation  can  be  greatly  optimized. 

We  begin  in  Section  8.1  by  describing  how  quantifiers  over  real-variables  arc  replaced  by  those  over 
Boolean  variables.  The  Boolean  encoding  method  employed  is  very  similar  to  the  Direct  encoding 
algorithm  introduced  in  Chapter  3.  Next,  in  Section  8.2,  we  describe  a  modified  version  of  the 
Direct  encoding  algorithm  for  DL  formulas  over  real-valued  variables.  Section  8.3  describes  how 
DL  formulas  are  represented  and  manipulated  as  Boolean  formulas.  Finally,  Section  8.4  describes 
several  optimizations  that  have  proved  useful  in  practice.  We  will  defer  a  discussion  of  related  work 
to  Section  9. 1,  as  all  prior  work  has  been  done  in  the  context  of  model  checking  timed  systems. 


8.1  Quantifier  Elimination  Using  Boolean  Methods 


Let  (()  denote  a  DL  formula  over  n  real  variables  x\,  X2,  ■  ■  ■  ,xn,  and  k  Boolean  variables  ei,  ■ .  *  ,  e*. 
Also,  let  m,  Mi,  m2G  {>,  >}. 

Consider  the  QDL  formula  u)a  =  3xa.(f>,  where  a  E  [l..n]. 

We  transform  coa  to  an  equivalent  QDL  formula  uJ}jooi  with  quantifiers  over  only  Boolean  variables 
in  the  following  three  steps: 


1.  Encode  difference  constraints: 


Consider  each  difference  constraint  in  <f>  of  the  form  xt  m  Xj  +  c  where  either  i  —  a  or 
j  —  a.  For  each  such  predicate,  we  generate  a  corresponding  Boolean  variable  e^jc.  Differ¬ 
ence  constraints  that  are  negations  of  each  other  arc  represented  by  Boolean  literals  (true  or 
complemented  variables)  that  arc  negations  of  each  other;  however,  for  ease  of  presentation, 
we  will  extend  the  naming  convention  for  Boolean  variables  to  Boolean  literals,  writing  e-  ■ 
for  the  negation  of  eff-  . 


Let  the  added  Boolean  variables  be  e^na 

r  and  ,Cjl  p^2  ,Cj2 
xa,  ana  eaji  ,eaj2  --  ■■■ 


p . 

’c«2,a 


">cim 


for  the  upper  bounds  on 


for  the  lower  bounds  on  it. 


We  replace  each  predicate  xa  m  xj  +  c  (or  xt  m  xa  +  c )  in  (j)  by  the  corresponding  Boolean 
variable  c^:-  (or  0  ','ff)-  Let  the  resulting  DL  fomiula  be 


2.  Add  transitivity  constraints: 

Notice  that  there  can  be  assignments  to  the  e^c  and  e^c  variables  that  have  no  corresponding 
assignment  to  the  real-valued  variables.  To  disallow  such  assignments,  we  place  constraints 
on  these  added  Boolean  variables.  Each  constraint  is  generated  from  two  Boolean  literals  that 
encode  predicates  containing  xa.  Following  the  terminology  introduced  in  Chapter  3,  we  will 
refer  to  these  constraints  as  transitivity  constraints  for  xa- 

A  transitivity  constraint  for  xa  has  one  of  the  following  types: 
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(a) 

(b) 

(c) 


<Xl,Cl  A  1X2, C2 
ct,a  ea,j 


>  ( Xi  M  Xj  +  Ci  +  C2), 

where  if  ixi=m2,  then  rx=Mi,  otherwise,  we  must  duplicate  this  constraint  for  both 
M=Mi  and  for  m=m2. 


0Xl,Cl 

"hi 

D>=c  - 
"hj 


0x2  ,C2 

"id 


,  where  ci  >  c2  and  either  i  —  a  or  j 


a. 


efj  ,  where  either  i  =  a  or  j 


a. 


Note  that  a  constraint  of  type  (a)  involves  a  difference  constraint  (xt  tx  Xj  +  ci  +  c2).  This 
predicate  might  not  be  present  in  the  original  formula  f. 

After  generating  all  transitivity  constraints  for  xa,  we  conjoin  them  to  get  the  DL  formula 

< ba 

t  cons 


3.  Finally,  generate  the  QDL  formula  uJbooi  given  below: 


Xji  ,Cjj 

eri,a  ' 


«2  ,a 


JXim’Cim  q  ’Ll  **32’c32 

-im,a  •  ca,j  1  ’eaj2  ’ 


fi'Xn 


Wcons  A  fbool] 


We  formalize  the  correctness  of  the  preceding  transformation  in  the  following  theorem. 


Theorem  8.1  l oa  and  UJbool  are  equivalent. 


Proof:  To  show  that  uja  and  UJbooi  are  equivalent,  we  show  that  u:a  =>  u>booi  and  Wbool  ==>  coa. 

Denote  the  formula  uja  =>  ^booi  by  w1  and  the  formula  to  bool  toa  by  to2.  Note  first  that 

the  free  variables  in  both  implications  arc  the  real- valued  variables  x  j ,  j;2 , . . .  ,  xa  [.xa+\. ...  ,  xn 
and  the  Boolean  variables  ei,  e2, . . .  ,  e/s.  For  all  i  and  j,  the  values  assigned  to  xt  and  ej  by  an 
assignment  a  arc  denoted  by  a[xi\  and  o[ef  respectively. 


1.  We  first  show  that  w1  is  valid. 


Let  cr  denote  an  arbitrary  assignment  to  all  free  variables  and  to  the  bound  real  variable  xa 
in  coa  such  that  o[toa]  —  true.  We  extend  a  with  an  assignment  to  the  Boolean  variables 


2  5^2 

eii,a  1  eh,a  i  •  ■  ■  ■>  etm,a 

,1 


•m  >« m  ’CJ1  gMr2  ’CJ2 


"»d  l  ’  aj  2 


x,'  ,c 

m  ,Jm 

’  '  '  ’  ’  '"ad 


e„  :>Jn[  ’  3m' ,  such  that  (j[L0booi] 


’c*n 

imi® 

true  and  hence  crju;1]  =  true. 

Define  an  evaluation  of  the  newly  added  Boolean  variables  according  to  the  following  rules: 


cr[e^]  =  o[xa  tx  Xj  +  c]  Vj  f  a,  for  all  constants  c  and  relations  tx  (8.2) 

cr[e^]  =  u[xi  ix  xa  +  c]  Vi  f  a,  for  all  constants  c  and  relations  tx  (8.3) 

Since  a[u)a]  —  true,  a[f]  —  true.  Further,  using  Equations  8.2  and  8.3,  we  can  conclude 
that  cr [4>b00i\  —  °[(i>]  because  ftooi  *s  obtained  from  f  by  replacing  predicates  (xa  tx  xj  +  c) 
and  ( Xi  tx  xa  +  c')  (for  all  i.  j  and  for  all  constants  c,  d)  with  Boolean  variables  e^'J'  and 
etf  ■  Therefore,  a[fabool\  =  true. 
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To  show  that  afabooi]  =  true,  we  need  to  additionally  show  that  a —  true.  We 
consider  an  arbitrary  transitivity  constraint  of  each  type: 


(a)  c 


,Xl,Cl  ^  gX2,C2 


a, 3 


(Xi  M  Xj  +  Cl  +  C2). 
1X2, C2T  _ 


Suppose  cr[e^Q1,C1]  =  cr[e^2,C2]  =  true.  Then,  by  Equations  8.2  and  8.3,  we  conclude 
that  cr [x^  Mi  u[xa]  +  ci  and  cr[xa]  m2  cr[xj\  +  c2.  If  Mi=m2=m,  we  can  infer 
a [x^  m  a[xj\  +  ci  +  c2,  and  thus  a[xi  m  xj  +  ci  +  c2]  =  true.  If  Mi^m2,  then  we 
can  infer  a[xj  Mi  xj  +  ci  +  c2]  =  a[xi  m2  xj  +  ci  +  c2]  =  true. 


(b)  e^j,ci  e^2,C2,  where  ci  >  c2  and  either  i  —  a  or  j  —  a. 

Suppose  crfe^1^1]  =  true.  Then,  by  Equations  8.2  and  8.3,  a[xi  Mi  xj  +  ci]  =  true. 
Since  ci  >  c2,  o[xi  m2  xj  +  c2]  =  true,  and  hence  cr^^2’02]  =  true. 

(c)  eff  =>  epf,  where  either  i  —  a  or  j  —  a. 

l’)J 

Exactly  as  for  type  (b)  constraints,  cr[eJ>jc]  =  a[xt  >  Xj  +  c]  =  true.  Therefore, 
a[xi  >  xj  +  c]  =  true  and  hence  cr[e^jc]  =  true. 


Thus,  cr  satisfies  all  transitivity  constraints,  and  hence  cr[<^>“ons]  =  true,  completing  the  proof 
for  the  first  part. 


2.  We  now  show  that  w2  is  valid. 


Let  a  denote  an  arbitrary  assignment  to  all  free  variables  and  to  the  bound  Boolean  variables 
in  uJbooi  such  that  a[uj})00i]  —  true.  We  extend  cr  with  an  evaluation  of  xa  such  that  a[coa]  — 
true  and  hence  cr[u;2]  =  true. 

Since  cr[u)booi]  —  true,  we  know  that  cr[0“ons]  =  true  (i.e.,  the  transitivity  constraints  are 
satisfied  by  cr)  and  cr[(j)%ool]  —  true. 

Suppose  we  can  find  a  value  a[xa]  that  satisfies  the  following  equations: 


cr[xa  m  xj  +  c]  —  cr[e^]  Vj  ^  a,  V  constants  c  (8.4) 

a[xi  m  xa  +  c]  =  crfe^]  Vi  ^  a,  V  constants  c  (8.5) 


Then,  cr[(f>^ool]  —  a[(j)\  because  (plooi.  's  obtained  from  </>  by  replacing  predicates  (xa  m  Xj  +  c) 
and  ( Xi  m  x(1  +  c')  (for  all  i,  j  and  for  all  constants  c,  c')  with  Boolean  variables  and 


ei  <jM-  Since  cr[(j)^ool]  —  true,  cr[(f)\  —  true,  and  hence  cr[wQ]  =  true. 

A  value  o[xa ]  that  satisfies  Equations  8.4  and  8.5  exists  if: 

cr[xa]  >  cr[xj\  +  c  if  cr[eca’j ]  —  true  (8.6) 

<j[xa]  <  o[xj\  +  c  if  erfe^’j]  =  false  (8.7) 

o[xa]  >  o[xj\  +  c  if cr[ec^j]  —  true  (8.8) 

cr[xa]  <  a[xj\  +  c  if  cr[e^]  =  false  (8.9) 
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In  the  above  equations,  w.l.o.g.,  we  use  literals  encoding  lower  bounds  on  xa  (e.g.,  e^’j)  in 
place  of  those  encoding  upper  bounds  (e.g.,  ej^). 

Let 


Ua  — 


min  (crlaql  +  c) 

.  C,  IX  4.  1  v  L  ' 

j,c  s.t.  e0  •  =talse 


and 


La  = 


max  +  c) 


j,c  s.t.  ea’j  =true 

Ua  and  La  are  respectively  the  tightest  upper  and  lower  bounds  on  rr[xa]. 
Define  the  ordering  relation  o  as  follows 


>  if  the  tightest  bounds  arc  non-strict,  i.e.,  o[xa]  <  U0  and  u[xa]  >  La 

>  otherwise 


(8.10) 


Then,  the  inequalities  8.6  to  8.9  can  be  satisfied  if: 

Ua  O  La  (8.11) 

In  other  words,  if  the  minimum  upper  bound  on  u[xa]  is  greater  (or  greater  than  or  equal  to) 
the  maximum  lower  bound  on  u[xa]. 

To  show  that  the  above  is  true,  it  is  enough  to  show  that  for  any  pair  of  upper  and  lower  bounds 
on  fj[xa].  the  relation  o  holds,  and  so  it  holds  in  particular-  for  the  minimum  upper  bound  and 
the  maximum  lower  bound.  For  example,  for  the  two  inequalities  u[xa]  <  cr [xj\  +  c\  and 
o[xa]  >  &[xk]  +  C2  to  be  true  we  need  that  a[xj\  +  c\  >  a[xk]  +  02- 

Therefore,  consider  two  arbitrary  indices  j  and  k  different  from  a.  We  need  to  consider  four 
cases  based  on  evaluations  of  the  Boolean  literals  e and  e^f'  .  Note  that  cases  in  which 

CL,K 

both  literals  evaluate  to  true  or  both  to  false  only  give  rise  to  two  lower  bounds  or  to  two 
upper  bounds.  By  the  transitivity  constraints  of  types  (b)  and  (c),  if  the  minimum  upper  bound 
(or  maximum  lower  bound)  is  satisfied,  then  every  other  upper  bound  (or  lower  bound)  will 
be  satisfied. 

The  four  cases  are  enumerated  below: 

(a)  eaf  =  false>  ea'fe“  =  true- 

This  implies  that 


a[xj]  >  a[xa]  -  ci  and  cr[a:a]  >  a[xk]  +  c2 


We  need  to  show  that 


a[xj]  +  ci  >  a[xk\  +  c2 
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Or 

a[xj\  >  a[xk]  +  (c2  -  ci) 

The  last  inequality  is  true,  since  <7  satisfies  the  transitivity  constraint  A  e^,- 

(Xj  >Xk  +  C2~  Cl). 

ea)f  =  false,  =  true. 

This  case  is  identical  to  the  one  above,  with  >  and  >  interchanged. 

(°)  eaf  =  felse-  ea,t  =  true- 


This  implies  that 


a[xj\  >  u[xa]  -  ci  and  u[xa]  >  a[xk ]  +  c2 


We  need  to  show  that 


Or 


a [xj\  +  ci  >  a[xk ]  +  c2 


o[xj\  >  o[xk\  +  (c2  -  Cl) 

The  last  inequality  is  true,  since  a  satisfies  the  transitivity  constraint  A 

( Xj  >  xk  +  c2  -  Cl). 

(d)  eaf  =  felse-  <?aT  =  true- 

This  case  is  identical  to  the  one  above,  with  >  and  >  interchanged. 

Thus,  we  can  conclude  that  Equation  8.11  is  satisfied,  completing  the  proof  of  this  paid. 


□ 

We  illustrate  the  transformation  with  a  simple  example. 


Example  8.1  Let  u>a  —  3 xa.<p  where  —  xa  <  xq  A  x\  >  xa  A  x2  <  xa.  Then,  (j)^ool  — 
eo,a°  A  ei ’’a  A  ea,2°-  4>cons  *s  die  conjunction  of  the  following  constraints: 

,  >,0  .  >,0  .  ^ 

'•  eo,a  Ae-;2  =>  x0>x2 

2‘  el,a  A  eT,2  =>  X!>X2 


Then,  wbooi  =  3e^° ,  epf , 


A  < fibool]  evaluates  to  xq  >  x2  A  x\  >  x2. 


□ 


The  quantifier  transformation  procedure  described  here  works  even  when  cj)  is  replaced  by  a  QDL 
formula  with  quantifiers  only  over  Boolean  variables.  In  the  general  case,  r/)  can  be  replaced  by 
3ei,  e2, . . .  ,  e(.fj)'  where  r//  is  a  DL  formula.  The  transformation  extends  to  this  more  general  case 
for  the  following  reason:  any  satisfying  assignment  cr  for  coa  can  be  extended  to  one  for  u)booi 
(and  vice-versa),  as  in  the  proof  of  Theorem  8.1,  keeping  the  partial  assignment  to  ei,  e2, . . .  ,  ei 
unchanged. 


8.2.  SATISFIABILITY  CHECKING  OF  DL  FORMULAS  OVER  R 
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8.2  Satisfiability  Checking  of  DL  Formulas  over  R 

Suppose  we  want  to  decide  the  satisfiability  of  a  DL  formula  <f>.  The  Direct  encoding  method 
introduced  in  Chapter  3  cannot  directly  be  used  as  it  assumes  that  the  DL  formula  has  integer 
variables  and  constants,  and  hence  that  every  difference  constraint  can  be  re-written  as  a  non-strict 
inequality. 

We  use  a  Boolean  encoding  algorithm  that  differs  slightly  from  the  Direct  encoding  algorithm 
and  is  based  on  the  following  fact:  The  DL  formula  cj)  is  satisfiable  iff  the  QDL  formula  oj \..n  — 
3x\,X2  , ,  xn.(j)  is  satisfiable. 

We  can  transform  0J\..n  to  an  equivalent  QDL  formula  uibooi  with  existential  quantifiers  only  over 
Boolean  variables  encoding  all  difference  constraints.  This  is  done  by  first  imposing  an  order  on 
the  variables  xi,X2,  ■  ■  ■  ,xn,  and  then  eliminating  the  quantifiers  over  those  variables  in  that  order, 
one  at  a  time,  using  Theorem  8.1.  The  resulting  formula  0J//ooi  is  a  quantified  Boolean  formula  with 
only  existential  quantifiers.  Therefore,  its  satisfiability  can  be  decided  by  simply  discarding  the 
quantifiers  and  using  a  Boolean  satisfiability  solver  to  decide  the  resulting  Boolean  formula. 

The  order  in  which  variables  are  eliminated  from  u>i..n  can  have  an  impact  on  the  size  of  the  resulting 
Boolean  formula.  For  instance,  suppose  that  <f>  —  x\  >  X2  A  X2  >  x%.  If  we  choose  to  eliminate 
X2  first,  we  will  generate  a  new  inequality  x,\  >  x'a  and  a  corresponding  transitivity  constraint. 
However,  if  instead  we  eliminated  x\  first,  we  will  generate  no  transitivity  constraints.  Observe  that 
none  arc  required  to  preserve  satisfiability. 

A  good  variable  elimination  order  is  the  one  used  in  the  Direct  encoding  algorithm  in  Chapter  3. 
For  each  quantified  real-valued  variable  x%,  we  count  the  number  of  upper  and  lower  bound  con¬ 
straints  for  it  and  compute  the  product  of  the  counts.  (The  counts  arc  updated  as  new  constraints  arc 
added.)  Variables  arc  eliminated  in  increasing  order  of  their  corresponding  products. 

Note  that  the  procedure  described  above  can  be  viewed  as  one  way  to  implement  the  algorithm  given 
by  Strichman  et  al.  [148]. 


8.3  Representation  and  Manipulation  of  DL  Formulas 

The  material  discussed  up  to  this  point  does  not  rely  on  any  specific  representation  of  DL  formu¬ 
las.  However,  since  we  make  use  of  Boolean  methods  for  quantifier  elimination  and  satisfiability 
solving,  it  is  convenient  to  encode  a  DL  formula  cj)  as  a  Boolean  formula  (L 

The  encoding  is  performed  as  follows.  Consider  each  difference  constraint  xt  txi  Xj  +  c  in  r/r  As  in 
Section  8.1,  we  introduce  a  Boolean  variable  c^jc  for  xt  m  xj  +  c,  only  this  time  we  do  it  for  every 
single  difference  constraint.  Also  as  before,  difference  constraints  that  are  negations  of  each  other 
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arc  represented  by  Boolean  literals  that  arc  negations  of  each  other.  We  then  replace  each  difference 
constraint  in  (f>  by  its  corresponding  Boolean  literal.  The  resulting  Boolean  formula  is  f3.  Standard 
representations  of  Boolean  functions,  such  as  Binary  Decision  Diagrams  (BDDs)  [27],  can  be  used 
to  represent  (3. 

Clearly,  fj,  by  itself,  stores  insufficient  information  for  generating  transitivity  constraints.  There¬ 
fore,  we  also  store  the  1-1  mapping  of  difference  constraints  to  the  Boolean  literals  that  encode 
them.  However,  this  mapping  is  used  only  lazily,  i.e.,  when  generating  transitivity  constraints  dur¬ 
ing  quantification  and  in  deciding  DL  formulas. 

Substitution 

A  common  operation  in  model  checking  is  to  substitute  a  “next-state”  version  of  a  state  variable 
(Boolean  or  real-valued)  by  a  the  “current-state”  version  or  by  an  expression  of  the  corresponding 
type. 

Given  the  Boolean  representation  described  above,  we  implement  substitution  of  a  real- valued  vari¬ 
able  Xi  by  substituting  the  Boolean  variables  corresponding  to  difference  constraints  containing  xt. 
Specifically,  for  a  real-valued  variable  xt,  we  perform  the  substitution  [xt  j;/,;  +  d]  (where  k  —  0 
or  a  —  0),  by  replacing  all  Boolean  variables  of  the  form  ei  ■  and  e-^  ,  for  all  j,  by  variables 
e^’j  d  and  e^k,c  +d  respectively,  creating  fresh  replacement  variables  if  necessary 

Substitution  of  a  Boolean  variable  by  the  Boolean  encoding  of  a  difference  logic  formula  is  done  by 
Boolean  function  composition. 


8.4  Optimizations 

The  quantifier  elimination  method  presented  in  Section  8.1  can  be  optimized  in  a  few  ways. 

First,  we  can  use  the  Boolean  structure  of  the  QDL  formula  to  be  more  selective  in  deciding  when 
to  add  transitivity  constraints.  Second,  the  quantifier  elimination  method  can  be  optimized  for  a 
special  class  of  QDL  formulas  that  arise  commonly  in  model  checking  timed  systems.  We  describe 
these  two  optimizations  in  Sections  8.4.1  and  8.4.2  respectively. 

There  is  one  other  optimization,  described  in  Section  8.4.3,  that  is  specific  to  a  BDD  representa¬ 
tion  of  DL  formulas.  This  optimization  eliminates  paths  in  the  BDD  representation  that  violate 
transitivity  constraints. 
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8.4.1  Determining  if  Bounds  are  Conjoined 

Suppose  (f>  is  a  DL  formula  with  Boolean  encoding  (3,  and  we  wish  to  eliminate  the  quantifier  in 
3 xa.(j).  As  described  in  Section  8.1,  a  transitivity  constraint  for  xa  involves  two  Boolean  literals 
that  encode  difference  constraints  involving  xa.  For  a  syntactic  representation  of  (3,  as  the  number 
of  constraints  grows,  so  does  the  size  of  [/3“ons  A  (3(ool\ .  the  Boolean  encoding  of  [4>%)ns  A  4>%)0i\- 
Further,  new  difference  constraints  can  be  added  when  a  transitivity  constraint  is  generated  from  an 
upper  bound  and  a  lower  bound  on  xa.  For  a  BDD-based  implementation,  this  corresponds  to  the 
addition  of  a  new  BDD  variable.  We  would  therefore  like  to  avoid  adding  transitivity  constraints 
wherever  possible. 

In  fact,  we  only  need  to  add  a  constraint  involving  an  upper  bound  literal  and  a  lower  bound  literal 
if  they  are  conjoined  in  a  minimized  DNF  representation  of  [3. 1  From  a  geometric  viewpoint,  this 
means  that  we  check  that  the  predicates  corresponding  to  the  two  literals  arc  bounds  for  the  same 
convex  region.  This  check  can  be  posed  as  a  Boolean  satisfiability  problem,  which  is  easily  solved 
using  a  BDD  representation  of  (3.  Let  the  literals  be  e\  and  e2-  Then,  we  use  cofactoring  and 
Boolean  operations  to  compute  the  following  Boolean  formula: 

ei  A  e2  A  [f3\  ei=true  A  -'(/?|ei=false)]  A  [(3\  e2=true  A  -G0|e2=felse)]  (8-12) 

Consider  the  subformula  e,  A  [/3|ej=true  A  _,(/3|ei=faise)]  for  i  —  1,2.  This  formula  represents  the 
set  of  input  combinations  e  in  which  e,  must  be  set  to  true  in  order  for  (3(e)  to  evaluate  to  true. 
Thus,  the  conjunction  of  the  subformulas  for  i  —  1  and  i  —  2  is  satisfiable  only  if  there  exists  a 
non-empty  set  of  input  combinations  e  in  which  both  e\  and  e2  must  be  set  to  true  for  (3(e)  to 
evaluate  to  true.  Viewed  alternately.  Formula  8.12  expresses  the  Boolean  function  corresponding 
to  the  disjunction  of  all  terms  in  the  minimized  DNF  representation  of  (3  that  contain  both  e\  and  e2 
in  true  form.  Therefore,  if  Formula  8.12  is  satisfiable,  it  means  that  e\  and  e2  arc  conjoined,  and  we 
must  add  a  transitivity  constraint  involving  them  both. 

Note  however,  that  since  (3  does  not,  by  itself,  represent  the  original  DL  formula  (f>,  finding  that 
e\  and  e2  arc  conjoined  in  (3  does  not  imply  that  they  arc  bounds  in  the  same  convex  region  of  (>. 
However,  the  converse  is  true,  so  our  method  is  sound. 

8.4.2  Quantifier  Elimination  by  Eliminating  Upper  Bounds  on  x0 

A  special  class  of  formulas  that  appeal-  in  the  model  checking  of  timed  systems  is  expressed  as  the 
formula  cot  below: 


u)e  —  3e.e  >  xo  A  cf)  +  e 

1 A  conservative,  syntactic  variant  of  this  idea  has  been  proposed  earlier  by  Strichman  [147], 


(8.13) 


126 


CHAPTER  8.  QUANTIFIED  DIFFERENCE  LOGIC 


In  the  above  equation,  <p  is  an  arbitrary  DL  formula,  and  cp+e  denotes  the  formula  obtained  by  adding 
e  to  all  real  variables  occurring  in  <p,  computed  as  (p\x%  +  e/rc,,  1  <  i  <  n],  where  x i .  , ...  ,  xn 

are  the  real  variables  in  (pt  excluding  the  zero  variable  xq.  Note  that  even  though  <p  +  e  is  not  in 
QDL  as  described  above,  it  can  be  rewritten  to  be  in  QDL;  this  rewriting  procedure  is  described  in 
Section  9.3  and  we  omit  it  here  as  it  is  not  relevant  to  the  discussion. 

From  a  geometric  viewpoint,  cp  is  a  region  in  Mn  and  u,y  is  the  shadow  of  cp  for  a  light  source  at  oon. 
Examples  of  cp  and  the  corresponding  tot  are  shown  in  Figures  8.1(a)  and  8.1(c)  respectively. 

We  can  transform  cot  to  an  equivalent  DL  formula  by  eliminating  upper  bounds  on  xq,  i.e., 
Boolean  variables  of  the  form  G(f.  The  transformation  is  performed  iteratively  in  the  following 
steps: 


1.  Let  cp o  =  (p.  Let  e^:i(jf;i ,  e^2(jC2 . . . .  ,  e^mQCm  be  Boolean  literals  encoding  all  upper  bounds  on 
xq  that  occur  in  <p>. 

Note  that  an  upper  bound  literal  G3^3  occurs  in  (p,  if  it  appeal's  in  some  term  in  the  min¬ 
imized  DNF  representation  of  (p.  This  can  be  checked  by  evaluating  the  Boolean  function 

[f5\  Xj, cj  A  — i (/3|  xj -cj )],  where  fj  is  the  Boolean  encoding  of  <p,  and  checking  that 

eij,  o  — true  e*j>°  — talse 

it  is  not  false. 


2.  For  j  —  1,2,...  ,  to,  we  construct  cpj  as  follows: 

(a)  Replace  all  occurrences  of  x%]  Mj  xq  +  Cj  in  cpj  l  with  to  get  (pfool  1  ■ 

(b)  Construct  (peons1,  the  conjunction  of  all  transitivity  constraints2  for  xq  involving  (^Pq  3 
and  real-valued  variables  in  (pbool  • 

(c)  Construct  the  formula  cpj,  a  disjunction  of  two  terms: 


<t>i  = 


'ij  ,0 


=true 


}  V  {h(^.  x0  +  Cj)]  A  [4>l*ol  x| 


=false 


]} 


The  first  disjunct  is  the  region  obtained  by  dropping  the  bound  xtj  txij  xq  +  Cj  from 
convex  sub-regions  of  (pj-i  where  it  is  a  lower  bound  on  xtj ,  while  enforcing  existing 
and  transitively  implied  bounds.  The  second  disjunct  corresponds  to  sub-regions  where 
-i (xij  tXj  Xu  +  Cj)  is  an  upper  bound;  these  regions  are  left  unchanged. 


The  output  of  the  above  transformation,  <pub,  is  given  by  <pub  —  (pm .  The  correctness  of  this  proce¬ 
dure  is  formalized  in  the  following  theorem. 


Theorem  8.2  UJe  and  (pub  are  equivalent. 


Proof:  We  make  use  of  the  following  lemmas. 

2We  can  use  the  optimization  technique  of  Section  8.4. 1  in  this  step. 
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Lemma  8.1  For  all  j  —  1, . . .  ,m,  Be.e  >  xo  A  4>j-i  +  e  is  equivalent  to  Be.e  >  xo  A  (pj  +  e. 
Proof: (Lemma  8.1) 

We  give  the  proof  for  an  arbitrary  j  satisfying  1  <  j  <  m.  Let  lo3  j  and  ujj  respectively  denote 
3ej-i.ej-i  >  xo  A  (f);j  i  +  (j  i  and  Bej.ej  >  xq  A  (pj  +  ej.  Notice  that  we  have  renamed  the  bound 
variable  e. 


1.  First,  we  show  that  uij  i  =>•  cjj.  Let  cr  be  an  assignment  to  the  free  and  bound  variables  in 
u)j  i  such  that  <r[cuj_i]  =  true.  This  means  that  cr[(pj  \  +  e7  j ]  =  true.  Extend  cr  so  that 
cr[ej\  —  <r[cj- 1].  Thus,  cr[ej- 1  >  xq]  —  o[ej  >  xq]  —  true. 

We  consider  two  cases. 


(a)  Case  1:  cr^a^.  Mj  xo  +  Cj)  +  tj-i]  —  true. 

Note  that  by  construction, 

<t>\ bool 1  =  ^-l[e5oC7(^-  ZO  +  Cj)] 

From  the  two  equalities  above,  and  since  c[ej]  —  cr[ej_i],  we  get 

1  +  Cj-l]  =  v\<t>lool1\™j’ci=  true  +  7 

V ,0 

In  addition,  the  transitivity  constraints  arc  satisfied,  i.e., 


because  (peons1 1  +  e7  only  involves  real-valued  variables.  Th< 

eij  ,0  -true 

Wj- 1  +  e7-l]  =  <J[(^o071  A  ^conS1)le^=true  +  7 


a 


Thus,  we  conclude  that 


cr[(pj- 1  +  e_j_i]  =  (j[^j  +  6j]  —  true 


which  in  turn  implies  that 

a[ej- 1  >  xq  A  (pj  i  +  e_y_i]  =  <r[ej  >  xq  A  (pj  +  tj]  —  true 


and  so 


This  concludes  the  first  case. 


cr[ujj- 1]  =  <j[ujj\  —  true 
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(b)  Case  2:  a[{xij  tXj  xo  +  Cj)  +  i]  =  false. 

Since 

tbool1  =  <h- l[e^CV(*ij  ^0  +  Cj)] 
and,  in  addition,  a [tj]  —  i],  we  have 


l  +  £j-i]  = 


bool 


,Cj  —false  +  CJ'J 


Now,  since  cr[<£j_i  +  ej-i]  =  true,  we  get 


a[(f) 


o,j- 

bool 


le^=false  +  ^] 


=  true 


and 

Mj  so  +  cj)  A  $Jol  +  Cj]  =  true 

,0 

and  so,  we  conclude  that 

a[4>j  +  ej]  —  a[ej  >  xo  A  cj)j  +  ej]  —  a[u>j ]  —  true 
which  concludes  case  2. 


Thus,  u>j- 1 


UJ 


3- 


2.  We  next  show  that  ujj  u; j  i . 

Let  a  be  an  assignment  to  the  free  and  bound  variables  in  c Oj  such  that  cr[ujj]  —  true.  This 
means  that  a\<fij  +  Ej]  —  true.  We  wish  to  extend  cr  by  an  assignment  to  Ej-\  so  that 
+  e_y_i]  =  true  and  cr [e^_ i  >  rco]  =  true. 

We  consider  two  cases. 


(a)  Case  1:  cr[(<^  1  A  ^L1)! e^^=true  +  c\  =  true 
Therefore, 

^bool1  leM^=trUe  +  ej\  =  trUe 

tj,0 

and 

vttcL1  le^=true  +  cj]  = true 

tj  ,u 

If  a[(rcjJ.  ix]?  xo  +  Cj)  +  Ej]  —  true,  then  using  the  equality 


l 


^3-l[%j,0j /(xij  MJ  x0  +  Cj)] 


(8.14) 


(8.15) 


we  can  set  a[ej-{\  —  o[ej\,  which  yields  a[(xij  txij  xq  +  Cj)  +  £j-i]  =  true,  and  so 
using  Equations  8.14  and  8.15,  we  get 


<?[</> j~  i  +  ej- 1]  =  a[cj)j  +  Ej]  —  true 


(8.16) 
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However,  if  a[{xij  txij  x$  +  Cj )  +  Ej]  —  false,  then  we  must  find  an  alternate  assignment 
to  €j- 1,  such  that  a[(xij  txij  xq  +  Cj)  +  ej_i]  =  true.  Then,  we  can  conclude,  as  above, 
that  Equation  8.16  holds. 

Consider,  w.r.t.  the  assignment  a,  all  lower  bounds  on  xq  that  occur  in  (j)j-i  +  ej  (and 
hence  in  <j^ol  '  +  Ej);  more  precisely,  a  lower  bound  on  xq  is  a  predicate  (xq  txk 
x%k  +  ck )  +  ej  such  that  cr[(a;o  txi k  xik  +  ck )  +  Ej]  —  true. 

If  no  such  lower  bound  on  j;0  exists,  then  we  can  set  Ej  j  to  any  value  that  results  in 
o^Xij  Mj  xo  +  Cj)  +  Ej-\]  —  true,  because  there  is  no  lower  bound  to  be  violated  by 
increasing  the  value  of  a  real- valued  variable. 

So  suppose  at  least  one  lower  bound  on  xq  exists  in  Define  the  value  vs  as 

vs  —  min  (~ck  -  a[xik  +  ej])  (8.17) 

k  s.t.  +Cfe)+€j]=true 

Note  that  vs  >  0  since  u[{xq  txik  x%k  +  ck)  +  Ej]  —  true  for  all  k  in  Equation  8.17. 

Let  l  be  the  k  for  which  the  minimum  on  the  right-hand  side  of  Equation  8. 17  is  attained. 
If  there  arc  many  such  k,  say  k \.  k-2  -  ■  ■  ■  ■  k(j ,  set  l  according  to  the  following  rules: 

i.  If  there  exists  k,  for  which  1x1^= >,  set  l  to  any  one  such  A;*. 

ii.  Otherwise  select  l  to  be  any  one  of  £q,  A:2,  -  -  -  ,  k^. 

Thus, 


vs  -  ~ci  -  a[xit  +  Ej] 

Next,  we  define  a  positive  real  number  x  as  follows: 

Xo  if  txi *=>,  and  where  xo  G  (0,  cr[xlj  -  xit  -  Cj  -  q]) 


(8.18) 


X  = 


0  otherwise 


(8.19) 


Note  that  a\xy  —  xtl  —  Cj  —  c/]  is  non-negative  and  is  strictly  positive  when  This 

is  because  there  exists  a  transitivity  constraint  in  y cons 


i'°'J  1  of  the  form 


(eT/,03  A  X0  XH  +  °l)  (Xij  IX  j  Xi{  +  Cj  +  Cl) 


which  occurs  in 


h°j- !| 


as 


ij,0 


(xo  txii  +  Cl)  =>  (Xy  t XI j  XH  +  Cj  +  Cl) 


If  the  following  constraint  also  holds: 


(x0  M I  Xi{  +  Cl)  =>  (. Xii  M I  Xit  +  Cj  +  Cl) 
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Since  <j[(xq  m^  +  q)  +  ej\  —  true,  the  following  equalities  hold: 

o[{xij  m j  XH  +  Cj  +  Cl)  +  €j\  —  a[xij  txi j  XH  +  Cj  +  Cl]  —  true  (8.20) 

0[(xij  txij  +  Cj  +  Cl)  +  Cj]  —  a[xi .  m t  XH  +  Cj  +  Cl]  —  true  (8.21) 

Thus,  <j[xy  —  Xit  —  Cj  —  ci]  is  non-negative  and  is  strictly  positive  when  M/=>. 

We  now  show  that  vs  —  x  >  0.  If  x  —  0,  clearly  vs  —  x  >  0.  So,  assume  that  M/=>, 
and  thus  %  E  (0,  c[xtj  —  x^  —  Cj  —  q]).  Then  we  can  conclude  the  following: 

Vs~X  =  ~cl  ~  a[xii\  ~  a[ej\  ~  X 

>  -Cl  -  a[xit]  -  a[ej]  -  a[xij  -  xi{  -  Cj  -  q] 

=  —ci  -  a[xi J  -  a[tj]  -  a[xy]  +  a[xi J  +  Cj  +  ct 
-  Cj  -  a[Xij]  -  a[ej] 

>  0  (since  a[{xij  Mj  x$  +  Cj)  +  Cj]  —  false) 

Intuitively,  vs  —  x  is  a  non-negative  real  number  we  can  add  to  all  real-valued  variables 
without  violating  lower  bounds  on  xq  in  (f>j-i  +  ej- 
Now,  define  a[ej  i]  as  follows: 

v[€j- 1]  =  cr[ej]  +  vs  -  x  (8-22) 

Since  —  X  >  0,  cr[ej_i]  >  cr[ej]. 

Given  the  above  assignment  to  ej  i,  we  first  show  that  cr[(xtj  Mj  xq  +  Cj )  +  Cj-\]  — 
true.  We  have  the  following  sequence  of  equalities: 

0-[(xq.  Mj  Xq  +  Cj)  +  €j— i] 

=  a[xij]  +  <r[ej-i\  cj 

-  v[xij]<Xj  Cj -a[ej- 1] 

=  aix^txij  Cj-vs  +  x-v[tj] 

-  o[xij]  I X!j  X  +  Cj  -  min(-a[xik  +  ej]  -  ck)  -  a[ej] 

=  aixij]  X  +  Cj  +  (a[xit  +  ej]  +  ci)  -  a[ej] 

=  °[xi}]  X  +  °[xit]  +  Cj  +  ci 

-  true  (since  x  £  (0,  a\xj  —  xi  —  Cj  —  q])  and  from  Eqn.  8.20) 

We  next  show  that  the  assignment  to  tj  \  in  Equation  8.22  preserves  the  truth  assign¬ 
ment  to  other  bounds  on  xq\  i.e.,  bounds  in  4>j- 1  +  Cj  other  than  (xtj  Mj  xq  +  Cj)  +  Cj. 
Formally,  we  show  that  for  all  bounds  xq  M/s  x%k  +  ck  where  k  j: 

o[{xq  Mfc  xik  +  ck)  +  Cj— l]  =  cr[(a;o  Mfc  xik  +  ck)  +  Cj] 
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Note  that  the  value  of  difference  constraints  of  the  form  a;^  tx  Xik  +ciilk2  is  unaffected 
by  the  assignment  to  or  e  ?  j . 

If  <j[{xq  tx*  Xik  +  c*)  +  €j\  =  false,  then  <r[(a:o  tx/c  Xj*  +  c*)  +  e,-_ i]  =  false,  since 
crfe-i]  >  cr[ej]. 

On  the  other  hand,  if  cr[(a:o  tx*  Xik  +  c*)  +  ej]  —  true,  then 

g[{xq  tx*  xik  +  c*)  +  ej- 1] 

=  0  tx*  a[xik]  +  c*  +  <r[ej-i] 

=  0  tx*  o[xik]  +  c*  +  a[ej\  +vs~x 
=  0  tx*  (c*  +  a[xik\)  +  cr[ej]  +  (-Q  -  cr[xj,  +  e^])  -  * 

=  (-c*  -  a[xik])  tx*  {-ci  -  a[xit])  -  x 

—  true  (since  %  >  0  and  from  Equations  8.17  and  8.18) 

To  sum  up,  we  have  shown  that  cr[(xji  tx.,-  xq  +  cj)  +  Ej  i]  =  true,  even  though 
a[{xtj  tx?  x'o  +  Cj)  +  ej\  —  false.  Thus,  we  can  conclude  that 

<j[4>j- 1  +  tj- 1]  =  cr[(pj  +  ej]  —  true 


This  completes  the  proof  for  the  first  case 
(b)  Case  2:  a[fy(xt]  tx.,-  x0  +  Cj )  A 
Thus 


),  ^  i  I  i Xj,cj  ]  T  6 

bool  3  =false-* 


ij\  —  true. 


°[^bool  1 


.0,7  1 |  . 

bool  J  =false 


and 


o[{Xi-  t Xj  Xo  +  Cj)  +  Cj] 

Letting  cr[e,,-_i]  =  cr [ey]  and  from  Equation  8.15,  we  get 


ij\  =  true 

false 


as 


required. 


o[4>j- 1  +  ej-i]  =  true 


'T’l _ _ 


From  parts  1  and  2  above,  we  conclude  that  lo3  j  and  uj3  are  equivalent. 

□ 

Lemma  8.2  Suppose  the  DL  formula  cj)  does  not  contain  any  difference  constraints  that  are  upper 
bounds  on  xq;  i. e. ,  any  satisfying  assignment  to  (f)  sets  all  upper  bounds  on  xq  to  false,  and  all 
lower  bound  predicates  to  true.  Then,  3e.e  >  Xq  A  (f)  +  e  is  equivalent  to  (f>. 
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Proof: { Lemma  8.2) 

We  first  show  that  (f>  =>  (3e.e  >  xo  A  <fi  +  e). 

Let  cr  be  an  assignment  to  the  variables  in  r/j  such  that  a[f]  —  true.  We  extend  a  with  an  evaluation 
of  e  so  that  o[e]  —  0  =  a[xf\.  Then,  a[e  >  xq  A  <f  +  e]  =  true,  since  a[<p  +  e]  =  a[(f>].  Therefore, 
cr[3e.e  >  xo  A  <fi  +  e]  =  true.  Thus,  f  (3e.e  >  xo  A  f  +  e) . 

Next,  we  show  that  (3e.e  >  x$  A  f  +  e)  <fi.  Let  cr  be  an  assignment  such  that  cr[3e.e  > 

xo  A  f  +  e]  —  true.  Thus,  cr[e  >  xo\  —  true  and  a[<p  +  e]  —  true.  Since  does  not  contain 
any  difference  constraints  that  are  upper  bounds  on  xo,  for  any  lower  bound  xo  t X/c  xk  +  ck  on  xq , 
cr[(xo  xk  +  ck)  +  e]  —  true  and  for  an  upper  bound  x i  txij  xo  +  q  on  xo,  o[{xi  txij  xo  +  q)  +  c]  = 

false. 

Then,  since  cr[e]  >  0, 

cr[(^o  IX/;  xk  +  ck)  +  e]  =  true  =  a[x0  \xk  ( xk  +  e)  +  ck]  —  a[x0  xk  +  ck] 

Similarly,  for  an  upper  bound  predicate  on  xo,  a[xi  M/  xo  +  c{\  —  false. 

It  then  follows  that  u[f]  —  true. 

□ 

From  Lemma  8.1,  we  infer  that  cue  =  3e.e  >  xo  A  fo  +  e  is  equivalent  to  3e.e  >  xo  A  +  e. 
Additionally,  since  <fm  does  not  contain  any  upper  bounds  on  xo,  using  Lemma  8.2,  we  conclude 
that  uy  is  equivalent  to  <fm  —  (pu}r  This  completes  the  proof  of  Theorem  8.2.  □ 


(a)  <f>0  =  <f>  (b)  4>  1  (c)  4> 2  =  we 


Figure  8.1:  Eliminating  upper  bounds  on  xq 

Example  8.2  Let  the  subformula  <f  of  cof  be 

4>  —  {x\  >  xo  +  3  A  X2  <  xq  +  2)  V  (xi  <  xo  +  3  A  X2  >  xo  +  3) 


r/)  is  depicted  geometrically  as  the  shaded  region  in  Figure  8.1(a).  It  comprises  two  sub-regions,  one 
for  each  disjunct.  The  lower  bounds  on  these  regions,  x\  >  xo  +  3  and  xy  >  xq  1-  3,  are  upper 
bounds  on  xq-  We  encode  these  by  epg  and  e^o  ■ 
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N,  Q 

Figure  8.1(b)  shows  <j>i,  the  result  of  eliminating  epg  .  Formally,  we  calculate 

(Ptool  =  (ef,o3  A  x2  <  x0  +  2)  V  (--ejj,3  Ai2>i0  +  3) 

€ons  =  (ef,03  A  X2  <  Xo  +  2)  (®1  >  ®2  +  1) 

Then,  applying  step  2(c)  of  the  transformation,  we  get 

01  =  (x2  <  +  2  A  aq  >  x2  +  1)  V  (xi  <  x0  +  3  A  x2  >  x0  +  3) 

N,  O 

Similarly,  in  the  next  iteration,  we  introduce  and  eliminate  e^o  1°  get  02-  shown  in  Figure  8.1(c), 
which  is  equivalent  to  cu£.  □ 

8.4.3  Eliminating  Infeasible  Paths  in  BDDs 

Suppose  (3  is  the  Boolean  encoding  of  DL  formula  (ft.  Let  <j)cons  denote  the  conjunction  of  transitivity 
constraints  for  all  real-valued  variables  in  <p,  and  let  f3cons  denote  its  Boolean  encoding.  Finally, 
denote  the  BDD  representations  of  / 3  and  (3cons  by  Bdd(/3)  and  Bdd  {/3cons)  respectively. 

We  would  like  to  eliminate  paths  in  Bdd (/3)  that  violate  transitivity  constraints,  i.e.,  those  corre¬ 
sponding  to  assignments  to  variables  in  f3  for  which  [Jcons  —  false.  We  can  do  this  by  using  the 
BDD  Restrict  operator,  replacing  Bdd (/?)  by  Restrict  (Bdd(/3),  Bdd(/ic„n,s) ) .  Informally, 
Restrict  ( Bdd(/3) ,  Bdd(/3cons) )  traverses  Bdd (/?) ,  eliminating  a  path  on  which  f3cons  is  false 
as  long  as  it  doesn’t  involve  adding  new  nodes  to  the  resulting  BDD.  Details  about  the  Restrict 
operator  may  be  found  in  the  paper  by  Coudert  and  Madre  [44]. 

Since  eliminating  infeasible  paths  in  a  large  BDD  can  be  quite  time  consuming,  we  do  not  apply 
this  optimization  very  often.  For  example,  in  model  checking  timed  automata,  this  optimization  is 
applied  only  to  the  BDD  for  the  set  of  reachable  states,  and  only  once  on  each  fixpoint  iteration. 


8.5  Summary 

This  chapter  showed  how  to  eliminate  quantifiers  over  real-valued  variables  in  a  quantified  dif¬ 
ference  logic  (QDL)  formula  by  transforming  the  problem  to  one  of  eliminating  quantifiers  over 
Boolean  variables  from  a  quantified  Boolean  formula.  Satisfiability  solving  of  DL  formulas  over 
Boolean  and  real-valued  variables  was  discussed,  as  also  were  techniques  of  representing  and  ma¬ 
nipulating  DL  formulas.  Several  optimizations  can  be  used  to  improve  on  the  quantifier  elimination 
method  in  practice. 

In  the  next  chapter,  we  will  see  how  the  Boolean  methods  for  QDL  discussed  in  this  chapter  can  be 
applied  to  the  problem  of  model  checking  timed  automata. 


Chapter  9 


Model  Checking  and  Timed  Circuits 


A  timed  system  is  a  generalization  of  a  finite-state  system  with  real-valued  clock  or  timer  variables. 
A  particularly  expressive  formalism  for  timed  systems  is  the  timed  automaton  [3, 5]. 

A  timed  automaton  is  a  generalization  of  a  finite  automaton  with  a  set  of  real-valued  clock  variables. 
The  state  space  of  a  timed  automaton  thus  has  a  finite  component  (over  Boolean  state  variables)  and 
an  infinite  component  (over  clock  variables).  Several  model  checking  techniques  for  timed  automata 
have  been  proposed  over  the  past  15  years.  These  can  be  classified,  on  the  one  hand,  as  being  either 
symbolic  or  fully  symbolic ,  and  on  the  other,  as  being  bounded  or  unbounded.  Symbolic  techniques 
use  a  symbolic  representation  for  the  infinite  component  of  the  state  space,  and  explicit  represen¬ 
tations  for  the  finite  component.  In  contrast,  fully  symbolic  methods  employ  a  single  symbolic 
representation  for  both  finite  and  infinite  components  of  the  state  space.  Bounded  model  checking 
techniques  work  by  unfolding  the  transition  relation  d  times,  finding  counterexamples  of  length  up 
to  d,  if  they  exist.  As  in  the  untimed  case,  these  methods  suffer  from  the  limitation  that,  unless 
a  bound  on  the  length  of  counterexamples  is  known,  they  cannot  verify  the  property  of  interest. 
Unbounded  methods,  on  the  other  hand,  can  produce  a  guarantee  of  correctness. 

The  theoretical  foundation  for  unbounded,  fully  symbolic  model  checking  of  timed  automata  was 
laid  by  Henzinger  et  al.  [71].  The  characteristic  function  of  a  set  of  states  is  a  formula  in  differ¬ 
ence  logic  (DL).  The  most  important  model  checking  operations  involve  deciding  DL  formulas  and 
eliminating  quantifiers  on  real  variables  from  quantified  difference  logic  (QDL)  formulas. 

This  chapter  describes  the  first  approach  to  unbounded,  fully  symbolic  model  checking  of  timed 
automata  that  is  based  on  a  Boolean  encoding  of  DL  formulas  and  that  preserves  the  interpretation 
of  clocks  over  the  reals.  Unlike  some  other  fully  symbolic  techniques,  our  method  can  be  used  to 
model  check  any  property  in  the  timed  ji  calculus  or  Timed  Computation  Tree  Logic  (TCTL)  [4]. 
The  method  is  based  on  the  results  of  Chapter  8,  and  especially  on  the  technique  for  transforming 
the  problem  of  eliminating  quantifiers  on  real  variables  to  one  of  eliminating  quantifiers  on  Boolean 
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variables. 

We  begin  this  chapter  with  a  discussion  of  related  work.  Section  9.2  gives  background  information 
on  timed  automata  and  the  timed  /i  calculus.  We  describe  our  fully  symbolic  model  checking  algo¬ 
rithm  in  Section  9.3,  including  a  description  of  our  implementation  and  results  on  a  toy  example. 
Section  9.4  describes  our  experience  applying  this  model  checking  algorithm  to  the  verification  of 
timed  circuits. 


9.1  Related  Work 

We  discuss  the  related  work  that  is  most  relevant  to  our  approach  to  fully  symbolic  model  checking 
of  timed  automata.  A  more  detailed  survey  of  techniques  for  model  checking  timed  systems  can  be 
found  in  the  recent  paper  by  Wang  [162]. 

The  work  that  is  most  closely  related  to  ours  is  the  approach  based  on  representing  DL  formulas  us¬ 
ing  Difference  Decision  Diagrams  (DDDs)  [102],  A  DDD  is  a  BDD-like  data  structure,  where  the 
node  labels  arc  generalized  to  be  difference  constraints  rather  than  just  Boolean  variables,  with  the 
ordering  of  constraints  induced  by  an  ordering  of  clock  variables.  This  constraint  ordering  permits 
the  use  of  local  reduction  operations,  such  as  eliminating  inconsistent  combinations  of  two  con¬ 
straints  that  involve  the  same  pair  of  clock  variables.  Deciding  a  DL  formula  represented  as  a  DDD 
is  done  by  eliminating  all  inconsistent  paths  in  the  DDD.  This  is  done  by  enumerating  all  paths  in 
the  DDD  and  checking  the  satisfiability  of  the  conjunction  of  constraints  on  each  path  using  a  con¬ 
straint  solver  based  on  the  Bellman-Ford  shortest  path  algorithm.  Note  that  each  path  can  be  viewed 
as  a  disjunct  in  the  Disjunctive  Normal  Form  (DNF)  representation  of  the  DDD,  and  in  the  worst 
case  there  can  be  exponentially  many  calls  to  the  constraint  solver.  Quantifier  elimination  is  per¬ 
formed  by  the  Fourier-Motzkin  technique  [49],  which  also  requires  enumerating  all  possible  paths. 
In  contrast,  our  Boolean  encoding  method  is  general  in  that  any  representation  of  Boolean  functions 
may  be  used.  Our  decision  procedure  and  quantifier  elimination  scheme  use  a  direct  translation  to 
SAT  and  Boolean  quantification,  respectively,  avoiding  the  need  to  explicitly  enumerate  each  DNF 
term.  In  theory,  the  use  of  DDDs  permits  unbounded,  fully  symbolic  model  checking  of  TCTL; 
however,  the  DDD-based  model  checker  [102]  can  only  check  reachability  properties  (these  can 
express  safety  and  bounded-liveness  properties  [1]). 

Uppaal2k  and  KRONOS  are  unbounded,  symbolic  model  checkers  that  explicitly  enumerate  the 
discrete  component  of  the  state  space.  KRONOS  uses  Difference  Bound  Matrices  (DBMs)  as  the 
symbolic  representation  [168]  of  the  infinite  component.  Uppaal2k  uses,  in  addition.  Clock  Dif¬ 
ference  Diagrams  (CDDs)  to  symbolically  represent  unions  of  convex  clock  regions  [15].  In  a  CDD, 
a  node  is  labeled  by  the  difference  of  a  pair  of  clock  variables,  and  each  outgoing  edge  from  a  node 
is  labeled  with  an  interval  bounding  that  difference.  Note  that  while  KRONOS  can  check  arbitrary 
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TCTL  formulas,  Uppaal2k  is  limited  to  checking  reachability  properties  and  very  restricted  live¬ 
ness  properties  such  as  AF p. 

Red  is  an  unbounded,  fully  symbolic  model  checker  based  on  a  data  structure  called  the  Clock 
Restriction  Diagram  (CRD)  [161].  The  CRD  is  similar  to  a  CDD,  labeling  each  node  with  the 
difference  between  two  clock  variables.  However,  each  outgoing  edge  from  a  node  is  labeled  with 
an  upper  bound,  instead  of  an  interval.  Red  represents  difference  formulas  by  a  combined  BDD- 
CRD  structure,  and  can  model  check  TCTL  formulas. 

A  fully  symbolic  version  of  Kronos  using  BDDs  has  been  developed  by  interpreting  clock  vari¬ 
ables  over  integers  [24] ;  however,  this  approach  is  restricted  to  checking  reachability  for  the  subclass 
of  closed  timed  automata1,  and  the  encoding  blows  up  with  the  size  of  the  integer  constants.  Rab¬ 
bit  [18]  is  a  tool  based  on  this  approach  that  additionally  exploits  compositional  methods  to  find 
good  BDD  variable  orderings.  In  comparison,  our  technique  applies  to  all  timed  automata  and  its 
efficiency  is  far  less  sensitive  to  the  size  of  constants.  Also,  the  variable  ordering  methods  used  in 
Rabbit  could  be  used  in  a  BDD-based  implementation  of  our  technique. 

Many  fully  symbolic,  but  bounded  model  checking  methods  based  on  SAT  have  been  developed 
(e.g.,  [9,  114]).  McMillan  [100]  has  recently  combined  bounded  model  checking  methods  with  an 
interpolating  theorem  prover  to  perform  unbounded  model  checking  of  a  sub-class  of  infinite-state 
systems  that  includes  timed  automata. 


9.2  Background 

We  begin  with  a  brief  presentation  of  background  material,  based  on  papers  by  Alur  [3]  and  Hen- 
zinger  et  al.  [71].  We  refer  the  reader  to  these  papers  for  details. 

9.2.1  Timed  Automata 

A  timed  automaton  T  is  a  tuple  (£,  £o,  £,  X.X.  £),  where  £  is  a  finite  set  of  locations,  £o  !=  £  is 
a  finite  set  of  initial  locations,  E  is  a  finite  set  of  labels  used  for  product  construction,  A  is  a  finite 
set  of  non-negative  real- valued  clock  variables,  1  is  a  function  mapping  a  location  to  a  DL  formula 
(called  a  location  invariant ),  and  £  is  the  transition  relation,  a  subset  of  £  x  T  x  77.  x  £  x  £,  where 
T  is  a  set  of  DL  formulas  that  form  enabling  guard  conditions  for  each  transition,  and  77.  is  a  set  of 
clock  reset  assignments.  A  location  invariant  is  the  condition  under  which  the  system  can  stay  in  that 
location.  A  clock  reset  assignment  is  of  the  form  aq  :=  xq  +  c  or  x\  Xj,  where  xt .  Xj  £  X  and  c 
is  an  integer  constant,2  and  indicates  that  the  clock  variable  on  the  left-hand  side  of  the  assignment 
'Clock  constraints  in  a  closed  timed  automaton  do  not  contain  strict  inequalities. 

2The  assignment  x\  c  is  represented  as  Xj  :  =  xq  +  c.  Wherever  we  use  Xi  to  denote  a  clock  variable,  i  >  0. 
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d.x 2  >  2 


Figure  9.1:  Example  of  a  timed  automaton.  Reproduced  from  [3]. 

is  reset  to  the  value  of  the  expression  on  the  right-hand  side.  We  will  denote  guards  by  ip.  ip\. . . . . 
Example  9.1  An  example  of  a  timed  automaton  is  given  in  Figure  9.1. 

For  this  example,  C  —  {f0,  h,h,  h},  £o  —  Oo}’  £  =  {a,  6,  c,  d},  A  —  {xx,  x2},  l{lo)  —  1(h)  — 
true,  l(lx)  =  1(h)  =  xx  <  1.  The  latter  location  invariant  ensures  that  the  transition  labeled  c 
from  h  to  h  occurs  within  1  time  unit  of  the  occurrence  of  a.  Similarly,  the  guard  X2  >  2  on  the 
transition  from  h  to  Iq  ensures  that  the  time  between  that  transition  and  the  one  labeled  with  b  is  at 
least  2  units.  □ 

Two  timed  automata  arc  composed  by  synchronizing  over  common  labels.  We  refer  the  reader  to 
Alur’s  paper  [3]  for  a  formal  definition  of  product  construction.  Note  that  in  contrast  to  the  definition 
of  timed  automata  given  by  Alur  [3],  we  allow  location  invariants  and  guards  to  be  arbitrary  DL 
formulas,  rather  than  simply  conjunctions  over  difference  constraints  involving  clock  variables. 

The  invariant  Ip  for  the  timed  automaton  T  is  defined  as  Ip  —  f\ieC[enc(l)  l(l)\,  where 

enc(l)  denotes  the  Boolean  encoding  of  location  l.  We  will  also  denote  a  transition  t  G  £  as 
ip  ==>  A,  where  ip  is  a  guard  condition  over  both  Boolean  state  variables  (used  to  encode  locations) 
and  clock  variables  of  the  system,  and  A  is  a  set  of  assignments  to  clock  and  Boolean  state  variables. 

Timed  Guarded  Commands 

Henzinger  et  al.  [71]  show  how  timed  automata  can  be  expressed  as  timed  guarded  command  pro¬ 
grams.  A  guarded  command  is  of  the  form  ip  A,  where  ip  is  a  guard  condition  over  both 

Boolean  state  variables  (used  to  encode  locations)  and  clock  variables  of  the  system,  and  A  is  a  set 
of  assignments  to  clock  and  Boolean  state  variables.  In  general,  we  have  one  guarded  command 
corresponding  to  each  transition  between  two  locations.  A  timed  guarded  command  program  corre¬ 
sponding  to  a  timed  automaton  is  a  pair  [V.  Ip)  where  'P  is  a  set  of  guarded  commands,  and  Ip  is 
the  program  invariant  defined  as  Ip  —  Ip. 

We  will  use  the  timed  guarded  command  program  representation  of  a  timed  automaton  where  suit¬ 
able. 
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9.2.2  Timed  p  Calculus  and  TCTL 

We  express  properties  of  timed  automata  in  a  generalization  of  the  p  calculus  called  the  timed  p, 
(T/i)  calculus.  A  formula  ip  of  the  T/i  calculus  is  generated  by  the  following  grammar: 

c p  X  |  fi  |  -■</?  |  (/?i  V  |  </?i  >  ¥>2  |  2-<£>  I  pX.ip  |  vX.tp  (9.1) 

z  is  a  specification  clock  variable  (i.e.,  z  f  X)  and  X  is  &  formula  variable  used  in  fixpoint  compu¬ 
tation.  The  formula  ipi  t>  ip2  means  that  the  formula  ipi  is  true  at  the  present  state,  and  remains  true 
(as  time  elapses)  until  some  transition  is  taken,  at  which  time  formula  ip2  becomes  true;  thus  “>” 
is  essentially  a  next-state  operator.  The  formula  z.ip  is  true  in  a  state  where  <p  is  true  after  setting 
specification  clock  variable  z  to  zero.  The  expression  pX.ip  stands  for  the  least  fixpoint  of  ip,  where 
X  is  a  formula  variable  bound  inside  tp:  v  denotes  the  greatest  fixpoint  operator. 

Henzinger  et  al.  [71]  show  that  the  T/i  calculus  can  express  the  dense-real-time  version  of  Com¬ 
putation  Tree  Logic  (CTL),  Timed  CTL  (TCTL)  [4],  TCTL  generalizes  CTL  by  allowing  atomic 
propositions  to  be  any  DL  formula,  and  in  addition  contains  formulas  of  the  form  z.ip  where  z  is 
a  specification  clock  variable  and  ip  is  a  TCTL  formula  in  which  z  appeal's  free;  the  latter  class 
enables  one  to  write  time -bounded  properties.  We  omit  the  details  for  brevity. 

Several  model  checkers  are  specialized  to  check  reachability  properties.  Using  the  notation  of  the 
T/i  calculus,  a  reachability  property  is  a  formula  of  the  form 

fiinit  —  1  ”” 1 pX.  \(fie,rr  V  (trUG  C>  A)] 

where  fimit  is  the  initial  set  of  states,  and  fierr  characterizes  the  bad  states;  the  formula  evaluates  to 
true  if  no  error  state  is  reachable  from  any  initial  state. 


9.3  Fully  Symbolic  Model  Checking 

Our  model  checking  algorithm  can  be  viewed  as  an  implementation  of  one  given  by  Henzinger 
et  al.  [71],  where  we  perform  operations  in  QDL  using  Boolean  methods.  This  algorithm  checks 
that  a  timed  automaton  T  satisfies  a  specification  given  as  a  T/i  formula  <p.  The  algorithm  always 
terminates,  and  generates  a  DL  formula  \<p\,  such  that,  if  T  is  non-zeno  (i.e.,  time  can  diverge  from 
any  state),  then  \<p\  is  equivalent  to  Ip. 

The  algorithm  is  fully  symbolic  since  it  avoids  the  need  to  enumerate  locations  by  representing  sets 
of  values  of  both  Boolean  state  variables  and  clock  variables  as  DL  formulas.  It  performs  backward 
exploration  of  the  state  space  and  uses  the  following  three  special  operators  over  DL  formulas: 


1.  Time  Elapse:  ft  'vS>  4ri  denotes  the  set  of  all  states  that  can  reach  the  state  set  fi  2  by  allowing 
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time  to  elapse,  while  staying  in  state  set  <pi  at  all  times  in  between.  Formally, 

fa  '**  fa  =  3<5{<5  >  xo  A  fa  +  5  A  Ve[xo  <  e  <  5  =4  <pi  +  e]}  (9.2) 

where  <f)  +  6  denotes  the  formula  obtained  by  adding  (5  to  all  clock  variables  occurring  in  <p, 
computed  as  (p[xt  +8/xi,  1  <  i  <  n],  where  x\,  x2,  -  ■  ■  ,xn  are  the  clock  variables  in  fa  (i.e., 
not  including  the  zero  variable  xq). 

2.  Assignment:  4>[A],  where  A  is  a  set  of  assignments,  denotes  the  formula  obtained  by  simul¬ 

taneously  substituting  in  <p  the  right  hand  side  of  each  assignment  in  A  for  the  left  hand  side. 
Formally,  if  A  is  the  list  e\  :=  fa, ...  ,  <f>k,  x\  Xj,  +  c\, . . .  ,  xn  Xjn  +  cn,  where 

each  e,  is  a  Boolean  variable,  each  Xj  is  a  clock  variable,  and  for  each  Xjt ,  ji  —  0  or  c/  =  0, 
then 

<P[A]  =  fafa/ei,...  tfa/ekiXj,  +a/xi,...  ,xjn  +cn/xn] 

Assignments  arc  thus  performed  via  substitutions  of  Boolean  and  real- valued  variables  by 
expressions  of  the  corresponding  type.  We  use  the  techniques  described  in  Section  8.3  to 
perform  these  substitutions. 

3.  Weakest  Pre-condition:  prepcp  denotes  the  weakest  precondition  of  <p  with  respect  to  the 
timed  automaton  T.  Formally, 

prepcp  =  lr  A  fa  V  \J  pret{lr  A  fa) 
tee 

where  for  a  transition  t  —  ip  =4-  A 

pret{fa  —  ip  A  (p[A] 

Note  that  prep  is  defined  using  assignments  and  Boolean  operations. 

The  model  checking  algorithm  is  defined  inductively  on  the  structure  of  T/i  formulas,  as  shown 
below: 


•  \4>\  ■—  -^T  A  <p 

•  fafa  :=  A  -'M 

•  |<Fi  v  tp2\  |<Fi|  V  \(p2\ 

•  \<P1  ><F2|  :=  |(M  v  \cp2\)  ^  preT{\p2\)\ 

•  \*M  ■=  Yp\[z  :=  0] 

•  \fiX.tp\  is  the  result  of  the  following  iteration: 
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'finevu  • —  false; 
repeat 

tfiold  • =  tftnew] 

(fonew  :=  4>old\\] 

Until  {4>new  - ^  fiold )i 

return  0oW; 


As  can  be  seen  from  the  algorithm  description  above,  apart  from  Boolean  operators,  the  main  com¬ 
ponents  of  the  algorithm  are:  quantifier  elimination  in  the  time  elapse  operation,  substitution  of 
state  variables  in  an  assignment,  and  the  decision  procedure  used  to  check  containment  in  fixpoint 
computation.  For  a  fully  symbolic  model  checker  that  represents  state  sets  as  DL  formulas,  these 
model  checking  operators  can  be  defined  as  operations  in  QDL.  We  elaborate  below. 

Time  Elapse 

Consider  the  formula  on  the  right  hand  side  of  Equation  9.2,  the  definition  of  the  time  elapse  opera¬ 
tor.  This  formula  is  not  in  QDL,  since  it  includes  expressions  that  are  the  sum  of  two  real  variables 
(e.g.,  x  +  d).  However,  it  can  be  transformed  to  a  QDL  formula,  by  using,  instead  of  5  and  e, 
variables  6  and  e  that  represent  their  negations: 

3<5{c)  <  xo  A  fa  +  (—5)  A  Ve[A  <e<xo  =>  (f>i  +  (— e)]}  (9.3) 

Lormula  9.3  is  expressible  in  QDL,  since  the  substitution  r/)  +  (—4)  /x,.  1  <  i  <  n]  can  be 

computed  as  (f>[S/x o].3  This  yields, 

3(5{5  <  xq  A  (/)2[8/xo\  A  Ve(5  <  e  <  xq  =>  <pi\e/xo])}  (9.4) 

Linally,  we  can  rewrite  Lormula  9.4  purely  in  terms  of  existential  quantifiers: 

3A{ A  <  xq  A  (p2[& /x'0]  A  -i3e(e  <  xq  A  5  <  I  A  -i^i[e/xo])}  (9.5) 

A  procedure  for  performing  the  time  elapse  operation  therefore  requires  one  for  eliminating  (exis¬ 
tential)  quantifiers  over  real  variables  from  a  DL  formula.  Lor  this  purpose,  we  use  the  quantifier 
transformation  technique  described  in  Section  8.1. 

In  addition,  we  can  exploit  the  special  structure  of  Lormula  9.5  so  as  to  avoid  introducing  e  alto¬ 
gether.  Thus,  we  can  avoid  adding  new  quantified  Boolean  variables  encoding  predicates  involving 
e. 

3Note  that  substituting  xo  by  <5  or  e  can  be  viewed  as  shifting  the  zero  reference  point  to  a  more  negative  value,  thus 
increasing  the  value  of  any  clock  variable  relative  to  zero  (e.g.,  [9, 102]). 


142 


CHAPTER  9.  MODEL  CHECKING  AND  TIMED  CIRCUITS 


Consider  the  inner  existentially  quantified  DL  formula  in  Formula  9.5,  reproduced  here: 

3e(e  <  xo  A  5  <e  A  -^<Pi\t/xo]) 

Grouping  the  inequality  S  <  e  with  the  formula  -xpi\e/xo\,  we  get: 

3e{e  <  xq  A  (<5  <  xo  A  — )  [e/rco] }  (9-6) 

Finally,  treating  d  as  a  clock  variable,  we  can  revert  back  to  e  from  e,  transforming  Formula  9.6  to 
the  following  form: 

3e[e  >  xo  A  (5  <  xo  A  ~'(pi)  +  e]  (9.7) 

Formula  9.7  is  a  special  case  of  the  formula  oj(  given  in  Equation  8.13.  Therefore,  we  can  employ 
the  optimization  described  in  Section  8.4.2. 

Checking  Containment 

Containment  of  one  set  of  states,  (pnew ,  in  another,  (pold-  is  checked  by  deciding  the  validity  of  the 
DL  formula  < p  =  (pnew  ==>  cpoid  (or  equivalently,  the  satisfiability  of  -xp).  The  satisfiability  of  -xp 
is  decided  using  the  technique  of  Section  8.2. 

Reachability  Analysis 

A  simple  but  very  useful  special  case  of  model  checking  is  to  compute  the  set  of  reachable  states  of 
the  timed  automaton.  This  can  be  used  for  checking  safety  properties. 

Let  (po  denote  a  DL  formula  characterizing  the  initial  set  of  states  of  a  timed  automaton  77  The 
following  three-step  algorithm  computes  a  DL  formula  <^reach  representing  the  set  of  reachable  states 
ofT. 

1-  (pnew  •—  (pO- 

2.  Do 


(a)  (pold,  ■ —  (pnew 

(b)  <p '  :=  posttime ( (pold ) 

{Let  time  elapse} 

(c)  cp "  :=  post v((p') 

{Fire  a  transition} 

(d)  (pnew  (pold,  9  <p 

{Union  of  sets} 

While  {(pold  ~f~  (pnew ) 

{Check  termination} 
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3-  preach  • —  (p new 

The  symbolic  “next-state”  operators  posttime  and  postp  arc  defined  as  follows: 

posttime (<56)  =  3<5{<5  >  0  A  (p  —  5  A  Ve[0  <  e  <  5  =►  Xj  —  e]}  (9.8) 

where  (p  —  d  denotes  the  formula  obtained  by  subtracting  5  from  all  clock  variables  occurring  in 
cp,  computed  as  cp[xi  —  S/xi7l  <  i  <  n],  where  xi7X27  ■  ■  ■  7xn  are  the  clock  variables  in  (pi  (and 
similarly  for  Xj  —  e). 

Intuitively,  <5  is  the  time  elapsed  since  the  last  transition  fired.  The  inner  quantified  formula  in  Equa¬ 
tion  9.8  ensures  that  while  allowing  time  to  elapse,  the  values  of  clock  variables  must  always  respect 
the  invariant  Xj.  The  formula  obtained  after  eliminating  quantifiers  from  posttjrno  (r/j)  represents  all 
states  reachable  from  <p  by  allowing  some  duration  of  time  to  elapse  within  the  constraints  imposed 

by  XT- 

The  operation  postp,  when  applied  to  a  set  of  states  cp.  returns  the  set  of  states  reached  from  <p>  by 
making  some  transition.  Formally, 

Post :v{(p)  =  \J  {(pAip)[A\  (9.9) 

(t/>  =>  A)e£ 


9.3.1  Implementation  and  Results 

We  implemented  a  model  checker  called  TMV  that  uses  BDDs  to  represent  Boolean  functions  and 
incorporates  all  the  optimizations  described  in  Section  8.4.  The  model  checker  is  written  in  the 
O’Caml  language  and  uses  the  CUDD  package  [47]  for  BDD  manipulation. 

We  have  performed  experiments  comparing  the  performance  of  our  model  checker  for  both  reacha¬ 
bility  and  non-reachability  T/i  properties.  For  reachability  properties,  we  compare  against  the  other 
unbounded,  fully  symbolic  model  checkers,  viz.,  a  DDD-based  checker  (DDD)  [102]  and  Red  ver¬ 
sion  4.1  [161],  which  have  been  shown  to  outperform  Uppaal2k  and  KRONOS  for  reachability 
analysis.  For  non-reachability  properties,  such  as  checking  that  a  system  is  non-zeno,  we  compare 
against  KRONOS  and  Red,  the  only  other  unbounded  model  checkers  that  check  such  properties. 

As  an  illustrative  example,  we  use  Fischer’s  protocol  for  mutual  exclusion.  Tools  such  as  DDD  and 
Red  that  we  compare  against  have  been  shown  to  perform  well  on  this  example  for  reachability 
properties.  The  automaton  for  the  ith  process  in  this  protocol  is  shown  in  Figure  9.2.  We  ran  two 
experiments  with  this  example.  The  first  experiment  compared  our  model  checker  against  DDD  and 
Red,  checking  that  the  system  preserves  mutual  exclusion  (a  reachability  property).  In  the  second 
experiment,  we  compared  against  KRONOS  and  Red  for  checking  that  the  product  automaton  is 
non-zeno  (a  non-reachability  property).  All  experiments  were  run  on  a  notebook  computer  with  a  1 
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GHz  Pentium-Ill  processor  and  128  MB  RAM,  running  Linux.  We  ran  DDD,  Kronos,  and  Red 
with  their  default  options.  For  our  implementation,  we  turned  off  dynamic  variable  reordering  in 
CUDD.  To  come  up  with  a  static  variable  ordering,  we  classified  the  BDD  variables  in  our  Boolean 
encoding  as  follows.  The  first  class,  G’ld.  consists  of  variables  encoding  the  shared  integer  id.  For 
each  i,  class  C(i)  contains  the  BDD  variables  encoding  locations  and  clock  constraints  for  process 
i.  Finally,  class  C(i.  j)  encodes  predicates  relating  clock  variables  from  processes  i  and  j.  We  used 
a  static  variable  ordering  that  groups  together  variables  in  the  same  class,  places  class  C id  at  the 
top,  orders  C(i)  before  C(j)  iff  <  j,  and  places  C{i.  j)  right  after  C(j)  for  j  >  i.  New  BDD 
variables  added  during  model  checking  arc  inserted  into  the  order  at  positions  that  depend  upon  the 
class  they  fall  into.  The  same  static  variable  order  was  used  for  the  corresponding  Boolean  variables 
and  difference  constraints  in  DDD. 


Figure  9.2:  Fischer’s  mutual  exclusion  protocol.  The  timed  automaton  for  the  fth  process  is 
shown.  Edges  arc  labeled  with  guards  and  assignments,  omitting  either  where  unnecessary. 

Table  9.1  shows  the  results  of  the  comparison  against  DDD  and  Red  for  checking  mutual  exclusion 
for  increasing  numbers  of  processes.  For  DDD  and  TMV,  the  table  lists  both  the  run-times  and 
the  peak  number  of  nodes  in  the  decision  diagram  for  the  reachable  state  set.  We  find  that  DDD 
outperforms  TMV  due  to  the  blow-up  of  BDDs.  In  spite  of  the  optimizations  of  Section  8.4,  the 
peak  node  count  in  the  case  of  DDD  is  less  than  that  for  TMV  for  the  larger  benchmarks.  In 
particular,  in  addition  to  eliminating  infeasible  paths  as  TMV  does,  the  local  reduction  operations 
performed  by  DDD  during  node  creation  can  eliminate  unnecessary  DDD  nodes  without  adding 
any  time  overhead.  For  example,  DDD  can  reduce  a  function  of  the  form  e\  A  e2  A  e%  under  the 
transitivity  constraint  [e\  A  62]  =4-  e 3  to  simply  the  conjunction  e\  A  e2-  The  BDD  Restrict 
operator  cannot  always  achieve  this  as  it  is  sensitive  to  the  BDD  variable  ordering.  Furthermore, 
TMV  contains  many  other  BDDs,  such  as  those  for  the  transitivity  constraints,  to  which  we  do  not 
apply  the  Restrict  optimization  due  to  its  runtime  overhead.  Finally,  in  comparison  to  Red, 
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we  see  that  while  TMV  is  faster  on  the  smaller  benchmarks,  Red's  superior  memory  performance 
enables  it  to  complete  for  7  processes  while  TMV  runs  out  of  memory. 


Number  of 

Processes 

Red 

DDD 

TMV 

Time 

(sec.) 

Time 

(sec.) 

Reach  Set 

(peak  nodes) 

Time 

(sec.) 

Reach  Set 

(peak  nodes) 

3 

0.21 

0.06 

130 

0.11 

101 

4 

1.13 

0.14 

352 

0.38 

316 

5 

4.53 

0.33 

854 

1.85 

1127 

6 

15.11 

0.90 

2375 

17.41 

4685 

7 

46.31 

2.65 

6346 

* 

* 

Table  9.1:  Checking  mutual  exclusion  for  Fischer’s  protocol.  A  indicates  that  the  model 
checker  ran  out  of  memory. 


Table  9.2  shows  the  comparison  with  Kronos  and  Red  for  checking  non-zenoness.  The  time  for 
Kronos  is  the  sum  of  the  times  for  product  construction  and  backward  model  checking.  We  notice 
that  while  KRONOS  does  better  for  smaller  numbers  of  processes,  the  product  automaton  it  con¬ 
structs  grows  very  quickly,  becoming  too  large  to  construct  at  6  processes.  The  run  times  for  TMV, 
on  the  other  hand,  grow  much  more  gradually,  demonstrating  the  advantages  of  a  fully  symbolic  ap¬ 
proach.  For  this  property,  the  BDDs  remain  small  even  for  larger  numbers  of  processes.  Thus,  TMV 
outperforms  Red,  especially  as  the  number  of  processes  increases.  These  results  indicate  that  when 
the  representation  (BDDs)  remains  small.  Boolean  methods  for  quantifier  elimination  and  deciding 
DL  can  outperform  non-Boolean  methods  by  a  significant  factor. 


Number  of 

Processes 

Kronos 

Time  (sec.) 

Red 

Time  (sec.) 

TMV 

Time  (sec.) 

Reach  Set 

(peak  nodes) 

3 

0.03 

0.28 

0.24 

28 

4 

0.23 

1.30 

0.44 

39 

5 

1.98 

5.05 

0.80 

54 

6 

* 

17.80 

2.15 

69 

7 

* 

57.95 

6.61 

88 

Table  9.2:  Checking  non-zenoness  for  Fischer’s  protocol.  A  indicates  that  KRONOS  exited 
with  an  “out  of  memory”  error. 
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Discussion 

The  results  in  this  section,  although  limited,  indicate  that  our  model  checker  based  on  a  general 
purpose  BDD  package  can  outperform  methods  based  on  specialized  representations  of  DL  formu¬ 
las.  The  drawback  of  our  BDD-based  implementation  is  its  poor  memory  performance  on  some 
examples.  However,  there  is  scope  for  improving  our  implementation,  especially  in  finding  more 
efficient  ways  of  eliminating  unnecessary  BDD  nodes  as  is  possible  with  DDDs.  Furthermore,  note 
that  the  memory  problems  we  face  arise  from  our  use  of  BDDs,  while  the  techniques  proposed  in 
this  thesis  can  make  use  of  any  representation  of  Boolean  functions.  In  particular,  a  SAT-based 
implementation  of  our  method  might  better  handle  the  growth  in  the  number  of  Boolean  variables. 

While  Fischer’s  protocol  is  an  interesting  toy  example,  the  real  test  of  our  model  checker  is  how 
it  performs  on  practical  problems.  In  the  next  section,  we  describe  an  application  of  our  model 
checker  to  the  verification  of  timed  circuits. 


9.4  Verification  of  Timed  Circuits 

Timing  assumptions  arc  commonly  used  in  the  design  of  both  asynchronous  and  synchronous  cir¬ 
cuits  in  order  to  improve  performance.  Examples  include  the  GasP  circuits  [150],  the  Global  STP 
circuit  in  the  Intel  Pentium  4  processor  [72],  and  the  RAPPID  instruction  decoder  [143].  However, 
the  use  of  timing  assumptions  comes  at  an  added  verification  cost:  The  circuit  behavior  must  be 
verified  under  these  constraints,  and  furthermore,  the  constraints  must  themselves  be  verified  pre- 
and  post-layout. 

A  promising  recent  approach  to  this  verification  problem  is  to  use  a  design  methodology  based  on 
relative  timing  [145].  In  the  relative  timing  (RT)  paradigm,  timing  assumptions  arc  made  explicit, 
by  adding  constraints  on  the  relative  ordering  of  signal  transitions  to  an  otherwise  untimed  design. 
In  contrast,  other  methods  use  implicit  timing  assumptions,  where  the  timing  assumptions  arc  either 
implicit  in  a  design  style  (such  as  Burst-Mode  techniques,  e.g.  [115])  or  imposed  at  the  gate-level  in 
the  circuit  model  (such  as  metric  timed  circuit  design  [105]).  Using  the  RT  paradigm,  verification 
proceeds  in  two  steps: 

1.  Checking  correctness  under  timing  constraints:  RT  constraints  are  identified  and  the  correct 
operation  of  the  circuit  is  verified  under  those  constraints.  Typically,  one  either  checks  that 
the  implemented  circuit  1  only  exhibits  behaviors  of  a  specification  S,  or  that  it  satisfies  a 
specific  property  ip  formulated  in  a  suitable  temporal  logic. 

2.  Verifying  that  the  circuit  obeys  timing  constraints:  The  identified  RT  constraints  arc  them¬ 
selves  verified  using  standard  simulation  or  static  timing  analysis  techniques.  The  constraints 
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can  be  verified  pre-layout  to  ensure  that  they  have  sufficient  margin  based  on  expected  de¬ 
sign  parameters.  The  constraints  also  must  be  validated  post-layout  with  extracted  data  to 
ensure  that  place  and  route,  sizing,  and  buffer  insertion  have  not  skewed  the  delays  beyond 
acceptable  values. 

The  RT  approach  of  explicitly  stating  timing  constraints  has  the  advantage  that  it  applies  to  many 
asynchronous  design  styles  [145].  It  supports  a  design  philosophy  of  adding  timing  constraints 
incrementally  and  of  giving  the  designer  flexibility  in  using  timing  constraints.  Also,  unlike  gate- 
level  metric  timing,  it  does  not  rely  on  conservatively  set  min-max  bounds  on  gate  delays. 

However,  current  RT-based  verification  techniques  (e.g.,  [85, 121])  fall  short  in  three  respects.  First, 
not  all  timing  constraints  can  be  expressed  as  the  relative  ordering  of  signal  transitions.  Secondly, 
current  verification  tools  arc  yet  to  scale  up  to  relatively  large  circuits  and  achieve  the  success 
obtained  by  symbolic  methods  for  untimed  systems  (e.g.,  [33]).  Finally,  previous  work  on  relative 
timing-based  verification  [85, 121]  does  not  satisfactorily  address  the  problem  of  verifying  that  the 
circuit  obeys  the  constraints. 

In  this  section,  we  address  these  shortcomings  by  making  the  following  novel  contributions: 

•  A  generalized  notion  of  relative  timing:  We  introduce  the  concept  of  a  generalized  relative 
timing  (GRT)  constraint,  one  that  specifies  a  relative  ordering  not  just  between  events,  but 
between  the  time  intervals  between  pairs  of  events.  This  generalization  adds  the  capability 
to  model  some  metric  timing  information  which  is  formally  modeled  using  real-valued  clock 
variables.  The  resulting  circuit  model  is  a  timed  automaton.  However,  since  metric  timing 
constraints  arc  typically  far  fewer  than  non-metric  GRT  constraints,  we  employ  relatively  few 
clock  variables. 

•  Application  of  fully  symbolic  verification  methods:  We  use  the  new  fully  symbolic  model 
checking  algorithm  introduced  earlier  in  this  chapter.  Along  with  the  modeling  methodol¬ 
ogy  described  above,  this  enables  us  to  verify  circuits  that  arc  significantly  larger  than  those 
verifiable  with  other  methods.  As  an  example  we  have  efficiently  analyzed  the  Global  STP 
circuit  [72],  finding  an  error  in  the  published  circuit,  and  then  successfully  verifying  a  fixed 
version. 

This  section  is  organized  as  follows.  We  introduce  the  idea  of  generalized  relative  timing  in  Sec¬ 
tion  9.4.2.  In  Section  9.4.3,  we  describe  how  timed  circuits  arc  formalized  as  timed  automata.  Case 
studies  are  presented  in  Section  9.4.4. 
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9.4.1  Previous  Work 

Several  techniques  have  been  proposed  in  the  past  15  years  to  model  timing  constraints  in  circuit 
design.  A  common  approach  is  to  specify  upper  and  lower  bounds  on  the  delay  between  when  a 
transition  is  enabled  and  when  it  tires.  Formalisms  such  as  timed  transition  systems  [70],  timed 
Petri  nets  [128]  and  timed  event  and  event/level  structures  [16, 101,  105]  arc  used  for  this  puipose, 
and  the  constraints  arc  referred  to  as  gate-level  metric  timing  constraints.  This  is  an  intuitive  model, 
but  since  the  timing  information  is  provided  at  the  gate-level,  verification  tools  based  on  this  model 
arc  restricted  to  relatively  small  circuits.  Even  with  the  use  of  partial  order  reduction  methods 
(e.g.,  [16, 101]),  the  size  of  the  untimed  state  space  still  presents  a  performance  bottleneck.  The 
min-max  delay  bounds  can  impose  unnecessary  timing  constraints  on  unrelated  parts  of  the  circuit. 
Furthermore,  designers  must  be  relatively  conservative  on  how  they  set  the  bounds,  since  these  can 
depend  on  post-layout  information. 

Another  formalism  for  modeling  timed  systems  is  that  of  timed  automata  [5],  which  is  more  expres¬ 
sive  than  timed  transition  systems  [6],  in  that  it  can  model  “more  global”  timing  constraints.  Maler 
and  Pnueli  [94]  model  asynchronous  circuits  using  timed  automata,  but  their  model  is  also  at  the 
gate-level,  requiring  one  clock  variable  per  gate.  Thus,  it  suffers  from  the  same  scaling  problems 
as  the  afore -mentioned  metric  timing  methods.  Our  work  also  uses  timed  automata  as  the  model¬ 
ing  formalism,  but  in  an  entirely  different  way:  We  model  timing  constraints  at  a  higher  level  of 
abstraction,  and  introduce  clock  variables  only  where  necessary. 

The  observation  that  enables  us  to  selectively  use  clock  variables  is  that  most  timing  constraints 
arc  on  pairs  of  events  that  have  a  common  start  event,  i.e.,  a  “point-of-divergence.”  A  similar 
observation  was  made  by  Negulescu  and  Peeters  [107, 108],  who  present  the  notion  of  a  chain 
constraint,  which  specifies  that  one  sequence  of  transitions  must  occur  before  another  with  both 
sequences  sharing  a  common  prefix.  A  “point-of-divergence”  constraint  is  more  restrictive  than  a 
chain  constraint  in  a  logical  sense  (it  specifies  a  relative  ordering  for  all  intermediate  sequences  of 
transitions  between  the  start  and  end  events),  but  for  the  same  reason,  it  is  more  compact  to  specify. 
Moreover,  we  can  model  more  general  kinds  of  constraints,  as  we  describe  in  Section  9.4.2. 

There  has  been  prior  work  on  RT-based  verification,  with  a  focus  on  automatically  generating  con¬ 
straints.  Pena  el  al.  [121]  present  an  approach  based  on  the  notion  of  lazy  transition  systems.  Their 
approach  automatically  and  iteratively  generates  RT  constraints  to  rule  out  spurious  counterexam¬ 
ples;  however,  the  process  of  adding  RT  constraints  relies  on  knowing  min-max  bounds  on  gate 
delays.  Kim  et  al.  [85]  present  a  verification  methodology  based  on  a  different  technique  of  au¬ 
tomatically  generating  RT  constraints,  but  do  not  address  the  problem  of  verifying  that  the  circuit 
obeys  the  constraints.  While  we  do  not  automatically  generate  timing  constraints,  our  work  targets 
a  more  general  class  of  timing  constraints,  and  provides  ways  of  verifying  that  the  constraints  hold 
for  the  circuit. 
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Clariso  and  Cortadella  [40]  present  a  gate-level  modeling  approach  that  represents  gate  delays  by 
symbols,  rather  than  by  constant  bounds.  Thus,  this  model  is  more  expressive  than  metric  timing. 
However,  the  verification  problem  is  even  harder  than  for  timed  transition  systems,  and  the  approach 
is  restricted  to  very  small  circuits. 

In  the  context  of  asynchronous  circuits,  there  has  been  much  work  on  algorithms  for  model  checking 
timed  systems;  see,  for  example,  the  work  by  Myers,  Yoneda,  et  al.(e. g.,  [16, 101, 105, 167]).  The 
main  difference  with  our  work  is  that  these  methods  arc  symbolic  in  the  real- valued  paid,  but  explicit- 
state  in  the  Boolean  paid;  hence,  in  spite  of  incorporating  partial-order  reduction,  large  circuits  arc 
often  outside  their  capacity. 

There  has  also  been  work  on  methods  that  use  compositional  reasoning  or  abstraction  to  achieve 
better  scalability  (e.g.,  [170]).  Our  focus,  in  this  thesis,  is  on  demonstrating  scalability  without  using 
compositional  reasoning  or  abstraction;  however,  nothing  precludes  using  the  techniques  presented 
herein  along  with  such  methods. 

9.4.2  Modeling  Timed  Circuits 

A  timed  circuit  is  a  triple  (V,  77.,  T),  where  V  is  a  set  { v \ .  V2 , . . .  ,  vn }  of  circuit  signals,  77  is  a  set 
{j"i,  r,2, . . .  ,  rm }  of  rules,  and  T  is  a  set  {ti,  T2, . . .  ,  tp}  of  timing  constraints.  The  set  of  initial 
values  of  signals  in  V  is  specified  as  a  Boolean  formula  7y. 

The  circuit  signals,  which  arc  the  state  variables  of  the  system,  arc  comprised  of  inputs,  outputs, 
and  intermediate  signals.  A  transition  (also  referred  to  as  event )  is  a  change  in  logic  level  of  a  signal. 
Transition  vt  f  corresponds  to  the  transition  of  vt  from  0  to  1,  and  vt  .1  to  the  transition  from  1  to  0. 
We  will  use  the  symbol  9i  to  refer  to  either  transition  for  signal  vt . 

The  untimed  circuit  behavior  is  defined  by  the  set  of  rules  77,  which  comprises  rn  —  2n  rules,  one 
for  each  signal  transition.4  The  2  rules  for  the  ith  signal  vt  are  written  as 

and  £Vil  i-»  Vil 

where  Sgi  is  a  Boolean  formula  over  V  indicating  the  enabling  condition  for  transition  0t  to  fire. 

Although  we  have  only  introduced  two  events  per  signal  (corresponding  to  up  and  down  transitions), 
it  would  be  straightforward  to  add  finitely-many  instances  of  each  event.  That  is,  for  a  given  event 
6i,  we  can  keep  track  of  not  only  each  instance  of  but  also  every  second,  third,  ...,  k'h  instances 
of  0i  for  a  constant  k,  with  the  use  of  additional  state  bits  to  keep  track  of  a  “count.”  However,  we 
have  rarely  needed  to  track  more  than  one  instance  of  each  event. 

We  will  assume  an  inertial  gate  model  (but  without  bounds  on  gate  delays).  Thus,  it  is  allowed  for 
a  transition  that  was  enabled  to  become  disabled  without  having  fired,  as  long  as  the  circuit  satisfies 
4Notice  that  this  is  similar  to  the  language  of  production  rules  [96]. 
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its  specification.  In  the  absence  of  an  explicit  timing  constraint  involving  transition  9t.  the  time 
taken  for  9i  to  tire  after  being  enabled  can  be  any  value  in  [0,  oo);  i.e.,  rules,  by  themselves,  arc 
purely  untimed. 

Generalized  Relative  Timing 

The  novel  aspect  of  how  we  model  circuits  is  in  the  formulation  of  generalized  relative  timing 
constraints,  which  combine  relative  timing  with  a  capability  to  incorporate  some  metric  timing 
information. 

Let  A (0j,  Qj)  denote  the  time  interval  between  an  occurrence  of  9j  and  the  occurrence  of  9,  imme¬ 
diately  preceding  it. 

The  following  definition  formalizes  the  notion  of  generalized  relative  timing  (GRT): 

Definition  9.1  Let  9l:  9[,  9r  9k  be  four  transitions  such  that  9j  f  9\ Then,  a  generalized  relative 
timing  constraint  on  9% .  9[ ,  9j ,  9k  is  of  the  form: 

For  all  occurrences  of  transitions  9 j  and  9k, 

A(9i:9j)  <  A(9'i:9k)  +  d 


where  d  is  a  rational  constant. 

It  is  sometimes  useful  to  use  a  non-strict  inequality  (<)  instead  of  the  strict  inequality  used  above, 
or  to  drop  one  of  the  A(-,  •)  terms  in  the  inequality  so  as  to  impose  an  upper  or  lower  bound  on  the 
time  interval  between  events. 

Point-of-divergence  constraint.  An  extremely  common  sub-class  of  GRT  constraints  are  those 
such  that  9i  —  9f  d  —  0,  and  the  same  occurrence  of  9i  immediately  precedes  all  occurrences  of 
both  9j  and  9k-  In  this  case,  the  timing  constraint  specifies  that  measuring  time  from  the  point  9t 
occurs,  9j  must  always  occur  before  9k-  We  will  refer  to  this  special  case  as  a  point-of-divergence 
(POD)  constraint.  (The  name  comes  from  the  divergence  in  two  paths  stalling  from  transition  9t .) 
We  write  a  POD  constraint  as  9,  — >  9j  ■<  9k- 

Typically,  9j  and  9k  causally  depend  on  9t.  However,  note  that  this  need  not  be  the  case!  By  the 
definition  of  A{9t,  9j),  the  point-of-divergence  in  the  constraint  is  simply  the  occurrence  of  9t  that 
is  closest  in  time  to  9j  and  9k,  which  need  not  have  caused  either  of  them. 

Note  also  that  the  concept  of  a  POD  constraints  is  essentially  the  same  as  that  of  the  original  RT 
constraint,  since,  in  order  to  implement  a  relative  ordering  between  events,  one  would  have  to  trace 
them  back  to  a  point-of-divergence;  hence  the  name  generalized  relative  timing. 

Metric  timing  constraints.  The  presence  of  d  in  the  definition  allows  us  to  express  a  limited  form  of 
metric  timing  constraints.  In  particular,  we  can  express  constraints  of  the  form  d\  <  A  { 9t .  9 :j )  <  d-2- 


9.4.  VERIFICATION  OF  TIMED  CIRCUITS 


151 


Note,  however,  that  we  cannot  directly  specify  the  min-max  timing  assumptions  used  in  timed  tran¬ 
sition  systems  [70]  and  related  formalisms,  since  that  would  require  constraining  the  delay  between 
when  a  transition  is  enabled  and  when  it  fires.5 

Compound  timing  constraints.  In  some  cases,  such  as  the  Global  STP  circuit  that  is  our  primary 
case  study,  we  have  observed  the  need  for  compound  timing  constraints  formed  as  an  XOR  of  two 
(simple)  timing  constraints.  Such  a  constraint  is  written  as  r,;  XOR  t?.  We  have  needed  such 
compound  constraints  to  reason  about  relative  ordering  between  instances  of  events  from  different 
cycles  of  circuit  operation.  Further  discussion  of  such  constraints  is  deferred  to  the  case  study  in 
Section  9.4.4. 

In  all  our  case  studies  to  date,  we  have  found  the  class  of  generalized  relative  timing  constraints 
to  be  sufficient.  In  fact,  most  constraints  tend  to  be  simple  (i.e.,  not  compound)  POD  constraints. 
Metric  timing  constraints  arc  used  only  when  there  is  explicit  use  of  delay  values  in  the  design. 

We  present  two  examples  to  illustrate  our  methodology  for  modeling  timing  constraints. 

Example  9.2  Consider  the  implementation  of  a  C-element  using  three  AND  gates  and  an  OR  gate, 
as  shown  in  Figure  9.3. 


Figure  9.3:  Implementation  of  a  C-element 

a  and  b  denote  the  input  signals,  and  c  is  the  output.  It  is  easy  to  see  that  in  order  to  work  correctly,  it 
is  sufficient  for  the  circuit  in  Figure  9.3  to  respect  the  following  two  fundamental  mode  constraints, 
formulated  here  as  POD  constraints:  ct  — >  act  bt  and  ct  — >  bet  a.|.  □ 

While  POD  constraints  suffice  for  the  preceding  example,  in  general,  we  might  need  a  more  expres¬ 
sive  timing  constraint.  The  following  example  demonstrates  the  need  for  increased  expressiveness. 

Example  9.3  Figure  9.4  depicts  a  simple  buffer  stage  element  generated  from  the  CASH  compiler 
that  compiles  ANSI-C  programs  into  asynchronous  circuits  [159].  For  correct  operation,  this  circuit 
relies  on  two  timing  assumptions:  data  transfers  between  stages  use  a  bundled  data  protocol,  and  a 
stage  incorporates  a  matched  delay  element. 

5However,  note  that  the  formalism  that  we  use,  viz.  timed  automata,  is  general  enough  to  express  such  constraints  [6], 


152 


CHAPTER  9.  MODEL  CHECKING  AND  TIMED  CIRCUITS 


Figure  9.4:  Buffer  stage  from  CASH  compiler 

The  matched  delay  can  be  formalized  with  the  following  two  timing  assumptions  t{  ASH  and  ASH: 

A(data_in'|\  data_in_aux|)  <  A(enablet,  trigger^)  (rfASH) 

A(data_in4<,  data_in_aux4.)  <  A(enablet,  trigger^)  (r^ ASH) 

To  ensure  that  the  stage  respects  the  bundled  data  protocol,  we  additionally  need  to  impose  two  POD 
constraints:  enablet  — >  data_outt  -5  req_ouff\  and  enable t  — >  data_out|  -<  req_outt- 
□ 

Note  that  the  matched  delay  assumptions  t[:ash  and  ASH  in  Example  9.3  can  be  refomiulated  as 
POD  constraints  by  tracing  back  to  the  enable  signal  of  the  previous  stage.  However,  this  breaks 
modularity,  since  the  timing  constraints  involving  signals  of  a  module  reference  internal  signals  of 
another  module.  In  general,  we  have  found  that  while  it  is  often  possible  to  reformulate  metric 
timing  constraints  as  POD  constraints,  it  is  at  the  cost  of  modularity. 

Verifying  Timing  Constraints 

The  verification  methods  presented  in  this  chapter  prove  that  the  timed  circuit  design  is  correct  given 
the  set  of  timing  constraints  T.  However,  it  does  not  prove  that  the  constraints  actually  hold  given 
the  true  delays  in  the  design.  Timing  constraints  can  be  constructed  that  do  not  hold  in  a  design, 
as  will  be  shown  later  in  Section  9.4.4.  Therefore,  these  must  be  proved  separately,  in  addition  to 
verifying  the  logical  functionality  of  the  circuit.  We  briefly  describe  this  process  to  show  a  consistent 
design  flow  exists  for  our  verification  method. 

Given  a  POD  constraint  9t  — >  9j  A  Ok  we  must  prove  that  any  sequence  of  events  from  0t  to 
6j  always  occurs  before  the  events  from  0t  to  Ok .  This  is  accomplished  by  tracing  and  timing  the 
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maximum  and  minimum  delay  paths  from  the  POD  to  the  end  points,  and  comparing  the  results.  We 
compute  the  maximum  delay  of  the  left  path  ( 9,  6j)  and  the  minimum  delay  for  the  right  path 

(i 9i  Ok).  This  ensures  that  no  combination  of  delays  will  cause  Ok  to  occur  before  Oj.  The  same 
conditions  exist  for  the  general  form  of  constraints  A ( 0t .  Oj)  <  A (#',  Ok)  +  d  w  here  the  tracing  may 
occur  to  different  starting  points,  and  a  constant  delay  is  added  when  the  path  delays  arc  compared. 

We  illustrate  static  timing  validation  using  the  circuit  in  Figure  1.  There  arc  two  POD  constraints,  the 
first  of  which  is  ct  — >  act  A  b.|.  Validating  this  constraint  requires  evaluation  of  the  max-delay 
path  from  c  t  to  ac  f.  This  is  simply  the  maximum  rise  delay  through  the  gate  corresponding  to  ac 
since  signal  a  is  already  asserted.  Similarly,  the  minimum  delay  path  from  ct  to  b.|,  which  depends 
on  how  the  gate  is  connected  to  its  environment,  is  calculated  and  compared  with  the  maximum 
rising  delay  of  the  gate  ac  to  validate  this  constraint.  The  second  constraint  ct  — >  bet  A  at  is 
similarly  validated. 

The  capability  of  automatically  tracing  and  timing  maximum  and  minimum  delay  paths,  and  corn- 
paling  the  results  is  supported  in  most  commercial  timing  tools  such  as  PrimeTime  [152].  Therefore, 
it  is  possible  to  automatically  validate  all  the  constraints  in  T.  However,  some  complications  arise 
in  automatically  tracing  signals  through  sequential  elements  (such  as  the  C-element  of  Figure  9.3), 
since  static  tools  may  not  correctly  cut  feedbacks  that  exist  solely  to  retain  state.  Fully  automatic 
translation  and  validation  of  GRT  constraints  using  static  timing  tools  is  left  to  future  work. 

The  timing  constraints  used  in  this  chapter  were  identified  manually,  many  with  the  assistance  of  a 
relative-timing  enhanced  verification  engine  [144].  Automatic  generation  of  GRT  constraints  is  left 
to  future  work. 

9.4.3  From  Circuits  to  Timed  Automata 

We  describe  how  we  formally  model  timed  circuits  as  timed  automata.  The  timed  guarded  com¬ 
mands  representation  of  timed  automata  is  used,  as  it  is  more  intuitive  in  the  current  context. 

The  translation  of  a  timed  circuit  (V,  TZ.  T)  to  a  timed  automaton  T  is  performed  in  three  steps. 

Initialization.  The  set  of  Boolean  state  variables  of  T  is  initialized  to  be  the  set  of  signals  V,  while 
the  set  of  clock  variables  X  is  initialized  to  0. 

Each  rule  of  the  timed  circuit  gets  translated  to  a  corresponding  guarded  command  of  the  timed 
automaton;  thus,  there  is  exactly  one  guarded  command  for  each  transition  0.  For  transition  0  with 
corresponding  rule  Eg  0,  we  initialize  its  guarded  command  to  be  Eg  =>  0. 

The  invariant  Tj  is  initialized  to  be  true,  and  r/)0  is  set  to  be  h  (the  set  of  initial  signal  values). 

Adding  auxiliary  variables.  For  each  timing  constraint,  we  add  an  additional  Boolean  or  clock 
variable  to  store  timing  information. 
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Let  Tj  be  the  «lh  timing  constraint. 

If  Tj  is  a  POD  constraint,  we  only  introduce  a  fresh  Boolean  state  variable  b,  into  V. 

Suppose  Tj  is  not  a  POD  constraint,  and  is  of  the  form  A ( 9t .  9j )  <  A(9'i:  9k)  +  d.  Then  we  not  only 
introduce  a  fresh  Boolean  state  variable  bt  into  V,  but  also  add  two  clock  variables  xgi_gj  and  xg'.,gk 
to  X. 

Encoding  timing  constraints.  We  encode  timing  constraints  in  sequence,  running  through  the  set 
T  —  {ti,t2,  •  •  ■  ,  tp}.  As  we  encounter  timing  constraints  containing  a  transition  9 ,  we  update  the 
guarded  command  corresponding  to  it. 

Suppose  we  arc  encoding  timing  constraint  t<,  which  mentions  transition  9.  Let  the  current  form  of 
the  guarded  command  7  for  9  be  ip  =7-  A. 

How  we  modify  7  depends  on  whether  the  timing  constraint  is  a  POD  constraint  or  not,  and  on  the 
role  of  9  in  the  constraint,  as  elaborated  below: 

•  POD  constraint:  Suppose  the  constraint  is  of  the  form  9,  — >  9j  A  9k-  There  are  three  cases, 
with  7  being  modified  differently  in  each  case: 

Case  9  —  9j\  7  ip  ==>  A', 
where  A!  —  A  U  {btt}- 

Case  9  —  9f  7  :=  ip  =7  A', 
where  A!  —  A  U  {&t|}. 

Case  9  =  9k'-  7  ip'  =>•  A, 
where  ip'  —  ip  A  ->bt. 

The  intuition  is  that  we  take  the  product  of  the  timed  automaton  (constructed  so  far)  with  a 
two-state  monitor  automaton  as  shown  in  Figure  9.5(a)  to  enforce  the  ordering  specified  by 
the  POD  constraint.  The  variable  bt  encodes  the  states  of  this  automaton.  Transition  9k  can 
only  occur  in  the  state  labeled  A)t\  i.e.,  the  state  in  which  bt  is  false. 

•  Non-POD  constraint:  Suppose  the  constraint  is  of  the  form  A(d,.  9j)  <  A {9'i:9k)  +  d.  To 
encode  this  constraint,  we  introduce  a  non-negative  constant  d'  such  that  A{9-t.  9j)  <  d'  + 
d  and  d!  <  A  ( d' .  9k )  -  The  value  of  d'  is  usually  known  at  design  time  since  a  non-POD 
constraint  arises  only  in  design  styles  that  make  use  of  some  form  of  metric  timing,  such  the 
matched  delay  assumption  used  in  the  circuit  in  Figure  9.4. 

We  have  four  cases  to  consider: 

Case  9  =  9,;.  7  ip  A', 

where  4'  =  iU  {htp-/xel.e]  :=  0}. 
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(a)  POD  (b)  Non-POD  (c)XORofPOD 

Figure  9.5:  Monitor  automata  for  timing 

Case  8  —  61:  7  :=  ip  =7  A', 

where  A!  —  A  U  {xo'.fik  0}. 

Case  d  =  9j\  7  :=  ip  =7*  A', 

where  A!  —  A  U  {bt|}. 

Case  9  —  Ok'.  7  :=  ip'  =7  .A, 
where  'ip'  —  ip  A  xe'.,0k  >  et7- 

In  addition,  we  update  the  invariant  Z7-  of  the  timed  automaton  by  conjoining  the  current 
invariant  with  the  DL  formula  l>t  =7-  XQi.$j  <  d  +  d! . 

The  intuition  behind  this  translation  is  as  follows.  First,  notice  that  the  Boolean  variable  bt 
encodes,  as  before,  the  state  of  a  monitor  automaton,  depicted  in  Figure  9.5(b).  However,  in 
this  case,  when  bt  is  true,  xqu$j  cannot  progress  beyond  d  +  d' ,  as  enforced  by  the  invariant 
I7-.  Since  the  clock  variable  XQt  ,q.,  is  reset  when  9t  fires,  this  forces  0j  to  occur  within  d  +  d’ 
time  units  of  9t.  Secondly,  clock  variable  xg>.jgk  is  reset  when  9\  fires,  and  the  augmented 
guard  for  9k:  ensures  that  9k:  can  only  fire  d!  time  units  after  9[.  The  above  two  mechanisms, 
in  conjunction,  ensure  that  the  timing  constraint  7 y  is  enforced. 

The  extension  of  the  translation  to  handle  compound  timing  constraints  is  straightforward;  a  XOR 
of  two  constraints  can  be  encoded  by  making  a  non-deterministic  choice  to  either  monitor  one 
constraint  or  the  other.  The  monitor  automaton  for  the  compound  constraint  rs  XOR  r<,  where 
ts  A  9S1  -X  0S2  -<  0S3  and  =  0tl  -7  0t2  0t3  is  shown  in  Figure  9.5(c).  We  omit  the  details. 

Example 

Consider  the  circuit  in  Figure  9.4.  The  rule  corresponding  to  the  transition  trigger  j'  is 


'trigger  A  enable  t->  trigger^ 
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Timing  constraints  r[ASH  and  ash  both  mention  the  transition  trigger  j\ 

Following  the  translation  scheme  described  in  this  section,  we  introduce  3  clock  variables  a;  enabief.tr  iggerA 
®data.iHf,data.in.auXf,  and  2!data_inf,data_in_au4-  The  final  guarded  command  for  trigger!  is 

-.trigger  A  enable  A  (renabief,triggerf  >  d!)  =>  trigger! 

where  d!  is  the  delay  corresponding  to  the  delay  element  in  the  figure. 

The  invariant  Tj  is  the  Boolean  formula 


(Pi 


^data.infjdata.in.auxf  4  d  )  A  ( 1)2 - -f  a?data_inf.data_in_auxf  A  (l  ) 


b\  and  b-2  arc  set  by  data_in!  and  data_in!  respectively,  and  arc  reset  by  data_in_aux!  and 
data_in_aux!  respectively.  Thus,  our  encoding  simply  formalizes  the  constraint  that  the  delay 
through  the  buffer  is  less  than  that  of  the  delay  element. 


9.4.4  Case  Studies 

We  have  applied  our  model  checker,  TMV,  to  several  case  studies.  The  main  industrial  case  study  is 
a  published  version  of  the  Global  STP  circuit,  a  self-timed  circuit  used  in  the  integer  unit  in  the  Intel 
Pentium  4  processor  [72].  Other  case  studies  include  the  GasP  FIFO  control  circuit  [150],  STAPL 
circuits  [1 16],  and  the  STARI  circuit  [64]. 

Experiments  reported  on  here  were  run  on  a  Linux  workstation  with  a  2  GHz  Pentium  4  processor 
and  1  GB  of  memory. 


Global  STP  Circuit 

The  Globally  Reset  Domino  with  Self-Terminating  Precharge  (Global  STP)  circuit  [72]  is  a  self¬ 
resetting  domino  circuit  used  in  the  integer  unit  of  the  Pentium  4  processor.  The  circuit  uses  both 
footed  and  unfooted  domino  inverters,  shown  in  Figure  9.6.  Figure  9.7  is  a  hierarchical,  gate-level 
depiction  of  the  Global  STP  circuit.  The  circuit  we  discuss  here,  shown  in  Figure  9.7,  is  the  simplest 
form  of  the  published  circuit  [72],  with  N-logic  blocks  replaced  by  wires,  and  static  blocks  replaced 
by  inverters;  our  verification  methods  apply  to  the  more  general  circuits  as  well. 

The  top-level  circuit  is  shown  in  Figure  9.7(d),  with  the  input  ck  being  a  4-GHz  clock  and  the 
output  being  a  delayed  version  of  the  same  clock.  In  the  beginning  of  the  clock  cycle,  the  last  footed 
domino  gate  is  being  reset,  while  the  first  three  STP  stages  go  through  an  evaluation.  After  the 
precharge  of  the  last  domino  gate  has  been  turned  off,  the  evaluate  signal  propagates  to  the  output, 
where  it  is  held  until  the  next  cycle.  Interestingly,  note  that  the  three  STP  stages  arc  reset  in  the 
same  cycle  in  which  they  evaluate. 
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(a)  Unfooted 


Figure  9.6:  Unfooted  and  footed  domino  inverters 


(a)  STP  stage  (b)  RES  stage  (c)  Latch  precharge  (LP) 


(d)  Overall  top-level  circuit 


Figure  9.7:  Global  STP  circuit 

This  circuit  relies  on  a  number  of  timing  constraints  to  ensure  correct  operation.  We  were  able  to 
formulate  all  these  timing  constraints  either  as  POD  constraints  or  as  a  XOR  of  two  POD  constraints. 
We  discuss  some  of  the  more  interesting  timing  constraints  here. 

Consider  the  Fh  STP  stage,  for  all  i  E  {1, 2,  3}  (refer  to  Figure  9.7(a)).  Short  circuit  current  in  the 
domino  inverter  must  be  avoided  by  ensuring  that  the  pullup  and  pulldown  transistors  arc  not  both 
conducting.  This  is  avoided  with  the  following  POD  constraint  that  does  not  allow  the  pullup  to 
assert  until  after  the  pulldown  has  been  turned  off.  This  constraint  states  that  for  stage  STP1,  the 
delay  of  a  clock  phase  must  be  shorter  than  the  delay  through  the  RES1  block: 

ckt  ->  STPidinJ,  -<  STPiresij  (r1GjTP) 

The  pulse  width  of  the  outputs  in  the  RES  stage  of  Figure  9.7(b)  arc  determined  by  the  delay  through 
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the  output  buffers  and  the  self-resetting  loop.  The  following  constrains  the  minimum  pulse  width 
on  RES2.r2: 


RES2.r2*t  ->•  RES2.r2|  -<  RES2.r2*j  (r2GSTP) 

Next,  consider  the  footed  domino  inverter  in  Figure  9.7(d).  The  reset  phase  must  terminate  before 
the  data  is  removed  to  guarantee  the  domino  gate  correctly  latches  data.  Tracing  the  paths  from  the 
clock,  we  can  express  this  in  terms  of  the  following  ordering  between  two  sequences  of  transitions: 

cktRESl.rltLP.pch4.LP.pch*tLP-q|LP.pcht 

cktSTPl.douttSTP2.douttSTP3.do*4.STP3.kptSTP3.res:i4STP3.do*tSTP3.dout4. 

This  ordering  is  enforced  with  the  following  constraint: 

ckt  ->  LP.pcht  -<  STP3.domt4  (t3gstp) 

To  prevent  incorrect  overlap  of  the  reset  of  the  domino  gate  in  each  STP  stage  we  need  a  constraint 
stating  that  STP*. res  t  triggered  by  the  previous  rising  edge  of  ck  must  occur  before  STPz.kpt  trig¬ 
gered  by  the  current  rising  edge  of  ck.  This  is  a  multi-cycle  constraint,  which  when  written  in  terms 
of  a  sequence  of  transitions,  is  cktSTPi.restSTPi.rest  -<  cktcktcktSTPi.dintSTPi.do*tSTPi.kpt. 
We  can  rephrase  this  multi-cycle  constraint  as  a  compound  timing  constraint  r[':-TP  XOR 
where  r.G.-TP  and  are  two  POD  constraints  given  below: 

ck|  -T  STPi.resJ.  -<  STPikpt  (t4g?tp) 

ck|  ->•  STPi.rest  -<  ckt  (rG-TP) 

To  see  why  this  is  so,  let  us  perform  a  case  analysis.  The  first  case  is  when  the  second  instance 
of  transition  ckt  occurs  before  STPz.resj..  In  this  case,  the  same  instance  of  ckt  precedes  both 
STPz.kpt  and  STPz.rest,  and  hence  we  can  simply  write  it  as  the  POD  constraint  rG?TP.  However, 
if  the  second  instance  of  ckt  does  not  precede  STP*. rest,  it  simply  means  that  STP*. rest  occurs 
before  ckt  fires  again;  i.e.,  holds,  and  so  does  the  multi-cycle  constraint. 

Finally,  consider  the  domino  inverter  in  the  LP  stage,  depicted  in  Figure  9.7(c).  To  avoid  a  short- 
circuit  in  this  inverter,  the  following  constraint  is  necessary: 

ckt  LP.pch*t  -5  RESl.rlt  (t6gstp) 

In  all,  we  needed  33  timing  constraints,  as  shown  in  Table  5.6  (we  count  a  compound  timing  con¬ 
straint  as  a  single  constraint).  We  model  checked  the  circuit  to  verify  the  absence  of  short-circuits 
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in  all  the  domino  inverters.  The  model  checker’s  run-time  was  within  a  few  minutes  (see  Table  5.6) 
and  memory  consumption  was  less  than  150  MB. 

Next,  we  turned  to  verifying  all  the  timing  constraints,  successfully  verifying  all  but  one:  TqST?. 
Consider  this  constraint.  It  takes  only  5  gate  delays  going  from  ckf  to  RESl.rlJ,,  while  it  takes 
7  going  from  ckt  to  LP.pch*|.  This  means  that  the  circuit,  as  described  in  the  paper  [72],  has  a 
short-circuit  error.  The  main  impact  of  this  error  appeal's  to  be  increased  power  consumption  and  a 
greater  propensity  for  device  failure  in  the  unfooted  domino  inverter. 

To  eliminate  this  error,  we  replaced  the  unfooted  domino  inverter  in  the  LP  stage  by  a  footed  domino 
inverter.  With  this  replacement,  constraint  r^STP  becomes  unnecessary.  Correctness  of  the  modified 
circuit  was  verified  without  using  this  constraint  in  about  4  minutes. 

Other  Circuits 

Among  the  other  circuits  we  verified,  we  briefly  report  here  on  the  modeling  of  two:  the  GasP 
control  circuit  [150]  and  the  STAPL  left-right  buffer  circuit  [116]. 


Figure  9.8:  GasP  stage 

A  single  stage  of  the  GasP  control  circuit  is  depicted  at  the  gate-level  in  Figure  9.8  with  normally 
distributed  pullup  and  pulldown  collapsed  into  the  unfooted  domino  inverter.  To  ensure  collect 
operation  of  this  circuit,  we  needed  to  specify  4  POD  constraints  for  each  stage.  A  sample  constraint 
is 


PATH.lo|  ->  PATH.rd4  -<  PATH.s],  (ifASP) 

We  connected  10  GasP  stages  together  in  a  ring  with  exactly  one  full  stage,  and  model  checked  it 
for  absence  of  short  circuits  and  to  verify  that  exactly  one  stage  was  full  at  any  given  point  of  time. 
Both  verification  runs  completed  within  a  minute,  as  shown  in  Table  9.3. 
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The  STAPL  left-right  buffer,  shown  in  Figure  9.9,  is  different  from  the  other  two  circuits  in  that 
it  uses  metric  timing  constraints.  Figure  9.9  shows  a  single  FIFO  stage  that  passes  a  single  bit 
encoded  using  dual  rail  encoding  (with  signals  10  and  11)  to  the  output  (as  signals  rO  and  rl). 
For  correct  operation,  the  circuit  employs  two  pulse  generators  (shown  in  Figure  9.9  as  square 
boxes)  with  pulse-lengths  less  than  constants  utrue  and  Cfaise  respectively.  Corresponding  to  the 
pulse  generators,  there  arc  two  paths  in  the  circuit  that  arc  respectively  required  to  take  longer  than 
constants  £true  and  £faiSe-  An  additional  constraint  is  imposed  that  £true  >  crtrue  and  £faiSe  > 
^faise-  These  timing  constraints  naturally  lend  themselves  to  being  modeled  as  metric  constraints 
with  clock  variables,  with  2  constraints  (4  clock  variables)  per  buffer  stage.  In  addition  to  these 
constraints,  each  stage  also  requires  6  POD  constraints.  Each  stage  has  10  Boolean  signals  (not 
counting  its  inputs;  note  that  the  pulse  generators  have  one  internal  Boolean  signal  each).  We 
model  checked  a  ring  of  3  STAPL  buffers  (for  same  properties  as  the  GasP  circuit);  both  verifications 
completed  successfully  within  a  few  minutes. 


Figure  9.9:  STAPL  left-right  buffer.  Reproduced  from  [1 16].  The  pulse  generator  with  pulse  width 
less  than  crtrue  *s  shown  with  a  dashed  circle  while  that  with  width  less  than  <7faise  is  shown  using 
a  dotted  circle.  The  corresponding  paths  arc  dashed  and  dotted  respectively. 


Comparison  with  Other  Tools 

Table  9.3  summarizes  our  experimental  results  on  the  3  circuits  discussed  so  far-. 
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Circuit 

1  V| 

\r\ 

TMV  Run-Time 

POD 

XOR 

Metric 

(seconds) 

Global  STP 

28 

27 

6 

0 

66.32 

GasP- 10 

60 

40 

0 

0 

26.10 

STAPL-3 

30 

18 

0 

6 

278.05 

Table  9.3:  Summary  of  experimental  results  with  TMV.  |V|  is  the  number  of  signals,  and  |T|  is 
the  number  of  timing  constraints  with  associated  break-up  into  categories. 

We  compared  the  performance  of  TMV  to  ATACS  [155],  which  is  based  on  metric  timing.  ATACS 
uses  model  checking  algorithms  that  arc  explicit-state  in  the  Boolean  component  and  prune  the 
search  space  using  partial-order  reduction  methods.6  In  modeling  the  Global  STP  (the  corrected 
version)  and  STAPL  circuits,  we  assigned  min-max  delay  ranges  to  all  gates  so  that  timing  is  anal¬ 
ogous  to  counting  transitions,  but  for  the  GasP  circuit  we  had  to  assign  ranges  more  carefully  so 
that  all  POD  constraints  were  satisfied.  For  all  three  circuits,  ATACS  did  not  finish  within  an  hour, 
running  out  of  memory  for  the  STAPL  and  Global  STP  circuits. 

For  the  circuits  discussed  so  far.  most  timing  constraints  arc  simple  POD  constraints,  and  very  few 
constraints  arc  metric.  Hence,  we  only  needed  to  introduce  few  clock  variables,  if  any.  This  enabled 
TMV  to  scale  well  on  these  circuits. 

As  mentioned  in  Section  9.4.2,  metric  constraints  can  usually  be  reformulated  as  POD  constraints, 
but  at  the  cost  of  modularity.  Using  the  STARI  circuit  [64],  we  studied  the  relative  performance 
of  TMV  for  two  different  ways  of  modeling  constraints.  (The  reader  is  referred  to  Greenstreet’s 
thesis  [64]  for  a  description  of  the  circuit.)  All  timing  constraints  for  this  circuit  can  be  modeled  as 
POD  constraints,  where  the  POD  is  the  clock  that  is  distributed  to  both  sender  and  receiver  modules. 
This  breaks  modularity,  since  timing  constraints  for  each  buffer  stage  between  the  sender  and  the 
receiver  require  tracing  back  to  the  global  clock.  One  can  also  formulate  these  constraints  as  metric 
timing  constraints  specifying  that,  for  each  buffer  stage,  an  output  data  bit  and  ack  must  follow  an 
input  within  a  clock  phase.  In  our  circuit  model,  we  abstracted  the  data-path  to  only  one  bit,  and 
modeled  only  one  of  the  two  bits  making  up  the  dual  rail  encoding.  Thus,  each  stage  contributes 
only  two  Boolean  state  variables.  The  resulting  timed  automaton  has  4  clock  variables  (one  per 
metric  constraint)  for  every  two  stages;  thus,  there  is  exactly  one  clock  variable  for  every  Boolean 
signal  in  a  stage. 

We  computed  the  set  of  reachable  states  for  STARI  circuits  (initialized  to  be  half-full)  for  increasing 
numbers  of  buffer  stages  and  in  three  different  ways:  (1)  using  ATACS,  (2)  using  TMV  with  purely 
POD  constraints,  and  (3)  using  TMV  with  modularly  specified  metric  constraints.  The  results  are 
6The  results  reported  for  ATACS  are  for  the  partial-order  reduction  option  that  yielded  best  results. 
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Figure  9.10:  Results  for  STARI  circuit.  Note  that  the  Y-axis  is  on  a  log  scale.  A  timeout  of  3600 
seconds  was  imposed  on  all  runs. 

displayed  in  Figure  9.10.  Using  TMV  with  purely  POD  constraints  is  the  most  scalable  approach, 
followed  by  ATACS.  When  used  on  a  model  with  metric  constraints,  TMV  scales  very  poorly.  The 
reason  for  this  appeal's  to  be  that  each  clock  zone  has  few  corresponding  Boolean  states,  since  the 
ratio  of  clock  variables  to  Boolean  signals,  per  stage,  is  fairly  high  (compared  to  the  STAPL  buffer, 
for  instance).  This  reduces  the  benefits  of  using  fully  symbolic  Boolean  methods  of  quantifier 
elimination.  On  the  model  based  purely  on  POD  constraints,  TMV  runs  an  order  of  magnitude 
faster  than  ATACS. 


9.5  Summary 

In  this  chapter,  we  presented  a  new  approach  for  fully  symbolic  model  checking  of  timed  automata 
based  on  the  Boolean  methods  for  quantified  difference  logic  proposed  in  Chapter  8.  We  have  ap¬ 
plied  this  model  checker  to  the  verification  of  timed  circuits,  including  industrial  examples.  Results 
demonstrate  the  utility  of  our  approach. 


Chapter  10 


Conclusion 


This  concluding  chapter  discusses  the  main  theoretical  results  and  design  decisions  in  this  thesis, 
summarizes  the  thesis  contributions,  and  suggests  directions  for  future  work. 


10.1  Summary  of  Contributions 

Adaptive  Boolean  encoding  methods  provide  a  new  way  of  building  efficient,  automated  decision 
procedures  for  first-order  logics  involving  arithmetic.  This  thesis  has  made  a  first  step  towards 
extending  Boolean  encoding  methods  to  a  rich  subset  of  logic  that  is  useful  for  a  wide  range  of 
applications,  and  has  demonstrated  the  efficiency  of  the  approach. 

A  central  design  decision  in  our  approach  is  to  use  eager  Boolean  encoding  techniques.  This  en¬ 
ables  us  to  leverage  future  advances  in  Boolean  methods  far  more  easily  than  the  lazy  encoding 
methods.  In  our  experience,  this  clean  separation  of  encoding  and  SAT  can  lead  to  orders  of  magni¬ 
tude  speedup  on  some  problems.  It  also  allows  us  to  generate  counterexamples  fairly  easily. 

The  eager  encoding  techniques  arc  based  on  new  theoretical  results  giving  solution  bounds  for 
arbitrary  quantifier-free  Presburger  arithmetic,  as  well  as  for  specialized  fragments  such  as  the  logic 
of  G2SAT  constraints.  These  results  improve  over  previous  solution  bounds,  in  the  typical  case,  by 
an  exponential  factor.  The  exponential  improvement  directly  translates  into  an  exponential  reduction 
in  the  search  space  of  the  SAT  solver. 

Boolean  encoding  methods  can  be  made  adaptive  by  incorporating  machine  learning  for  automated 
algorithm  selection.  Our  experience  shows  that  the  use  of  machine  learning  can  not  only  relieve 
the  user  of  the  burden  of  setting  the  right  combination  of  command-line  options,  but  can  also  yield 
orders  of  magnitude  speedup  compared  to  previous  approaches. 

The  UCLID  verification  system  incorporated  all  of  the  above  ideas,  and  has  been  applied  to  a  wide 


164 


CHAPTER  10.  CONCLUSION 


range  of  applications  in  hardware  and  software  verification.  In  this  thesis,  we  demonstrated  its  ap¬ 
plication  to  finding  format-string  exploits,  a  class  of  security  vulnerabilities  in  software  that  requires 
precise  modeling  of  data. 

Boolean  encoding  methods  can  also  be  used  for  quantifier  elimination  in  quantified  logics  that  ad¬ 
mit  such  elimination.  One  such  useful  logic,  explored  in  this  thesis,  is  quantified  difference  logic. 
We  have  shown  how  quantifier  elimination  based  on  Boolean  methods  can  be  applied  in  the  fully 
symbolic  model  checking  of  timed  systems.  In  conjunction  with  a  new  approach  to  modeling  tim¬ 
ing  assumptions  in  circuits,  our  fully  symbolic  model  checker,  TMV,  has  scaled  to  industrial-size 
circuits. 

10.2  Open  Problems 

While  this  dissertation  has  answered  many  questions,  it  has  also  posed  several  new  problems.  We 
discuss  some  of  the  open  problems  here. 

Theoretical  Problems 

There  arc  many  open  theoretical  problems  that  deserve  further  exploration. 

In  deciding  quantifier-free  Presburger  (QFP)  arithmetic,  we  made  use  of  the  bound  (n  +  2)  •  A  given 
by  Borosh,  Treybig,  and  Flahive  (see  Theorem  5.1).  In  their  1992  paper  [23],  Borosh  and  Treybig 
conjecture  that  this  bound  can  be  improved  to  just  A.  As  far  as  we  know  today,  this  conjecture  is 
still  open. 

In  Chapter  5,  we  showed  how  the  presence  of  a  large  number  of  difference  constraints  can  be 
exploited  in  computing  a  compact  solution  bound.  Chapter  4  shows  that  the  solution  bound  for 
G2SAT  formulas  is  very  similar  to  that  for  difference  formulas.  It  is  therefore  a  natural  question 
as  to  whether  the  results  of  Chapter  5  can  be  generalized  to  apply  to  formulas  comprising  mainly 
G2SAT  constraints. 

The  results  of  Chapter  5  apply  to  arbitrary-precision  integer  arithmetic.  It  would  be  interesting  to 
see  if  similar  results  could  be  obtained  for  finite -precision  (modular)  integer  arithmetic.  In  the  latter 
case,  we  already  have  a  (trivial)  finite  bound  on  solution  size,  but  would  like  to  find  a  tighter  bound, 
or  perhaps  a  way  of  performing  a  sparse  encoding  over  the  trivial  finite  bound. 

SAT  and  Machine  Learning 

In  Chapter  6,  we  observed  the  impact  of  the  structure  of  SAT  instances  generated  by  the  Direct 
encoding  on  the  relative  performance  with  the  SD  encoding.  More  work  needs  to  be  done  to  formally 
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understand  the  structure  of  SAT  instances  generated  by  both  encoding  algorithms.  In  particular,  for 
the  SD  encoding,  we  have  used  only  one  choice  of  arithmetic  circuits  throughout  this  thesis  (e.g., 
using  ripple  carry  adders  for  addition).  There  needs  to  be  a  more  comprehensive  evaluation  of 
different  choices  of  arithmetic  circuits  in  the  SD  encoding  with  respect  to  the  ease  with  which  the 
resulting  SAT  instances  arc  solved. 

Our  experience  with  SAT  solvers  has  been  very  positive,  indicating  the  presence  of  hidden  structure 
in  the  instances  we  generate  (using  all  the  different  encoding  algorithms).  Formalizing  this  structure 
can  help  in  designing  more  efficient  SAT  solvers,  besides  providing  valuable  theoretical  insight  into 
our  application  domains.  The  work  of  Hoos  [77]  and  Williams  et  al.  [163]  arc  good  starting  points 
for  tackling  this  problem. 

Our  work  on  using  machine  learning  for  automated  algorithm  selection,  although  demonstrated  just 
for  the  SD  and  Direct  encoding  algorithms  for  difference  logic,  has  wider  applicability.  Specifi¬ 
cally,  it  could  be  used  for  different  logical  theories  at  multiple  levels  in  the  UCLID  decision  proce¬ 
dure.  For  example,  it  could  be  used  for  selecting  between  Ackermann’s  technique  [2]  for  eliminating 
function  applications  and  that  given  by  Bryant  et  al.  [29]. 

Applications 

Automating  the  generation  of  formal  models  from  descriptions  of  real  hardware  and  software  sys¬ 
tems,  in  languages  such  as  C  and  Verilog,  is  critical  to  make  the  techniques  proposed  in  this  thesis 
easier  to  use. 

While  there  has  been  work  on  automatically  generating  finite-state  models  from  source  code  using 
techniques  such  as  predicate  abstraction  (e.g.,  [11,  36]),  similar  methods  for  generating  infinite-state 
models  have  yet  to  be  demonstrated.  The  recent  work  by  Andraus  and  Sakallah  [7]  on  generating 
UCLID  models  from  Verilog  is  a  first  step  in  this  direction. 

Similarly,  an  important  next  step  in  our  work  on  verifying  timed  circuits  is  to  automate  the  gener¬ 
ation  of  timing  constraints.  There  has  been  past  work  on  automatically  generating  relative  timing 
constraints  by  attempting  to  rule  out  spurious  counterexamples  [85, 121],  but  they  do  not  scale  well, 
and  require  the  use  of  min-max  delay  bounds.  An  approach  worth  exploring  is  to  infer  affine  rela¬ 
tions  over  time  intervals  between  events  based  on  applying  machine  learning  to  simulation  traces; 
to  our  knowledge  this  has  never  been  attempted  before. 
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Boolean  methods  have  the  potential  to  greatly  increase  the  scalability  of  decision  procedures  for 
first-order  logics  involving  arithmetic,  thereby  enabling  a  whole  new  range  of  applications. 
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There  arc  two  directions  in  which  a  future  research  plan  could  be  mapped  out.  The  first  involves 
extending  the  framework  for  decision  procedures  based  on  eager  Boolean  encodings  that  has  formed 
the  basis  for  this  dissertation.  The  second  concerns  new  applications  that  would  benefit  from  a  use 
of  decision  procedures. 

Many  applications  generate  not  one,  but  a  whole  stream  of  formulas  (queries)  to  a  theorem  proven 
Often,  these  formulas  differ  from  each  other  only  slightly.  For  instance,  in  bounded  model  checking, 
the  formula  generated  after  symbolically  simulating  a  system  for  k  steps,  is  likely  to  share  several 
common  sub-expressions  with  that  generated  after  k  —  1  steps.  It  is  therefore  advantageous  to 
make  the  Boolean  encoding  algorithms  incremental,  with  the  ability  to  re-use  work  from  previous 
translations.  For  the  UCLID  logic  considered  in  this  thesis,  an  incremental  encoding  algorithm 
will  work  in  tandem  with  an  incremental  SAT  solving  algorithm.  Algorithms  and  implementations 
for  incremental  SAT  solving  already  exist  [169].  In  particular,  one  would  like  to  prove  theoretical 
results  about  the  extent  of  additional  work  needed  in  the  incremental  translation,  given  a  measure  of 
how  successive  input  formulas  differ. 

The  decision  procedures  proposed  in  this  thesis  do  not  directly  generate  proofs.  Proof-generating 
decision  procedures  arc  useful  for  at  least  two  reasons.  First,  it  provides  the  user  with  a  certificate 
of  the  implementation’s  correctness  on  the  input  formula,  making  the  system  more  trustworthy. 
Second,  it  can  be  used  in  verification  tools  that  use  proofs  for  refining  abstractions,  such  as  the  Blast 
software  model  checker  [69]. 

This  dissertation  has  only  explored  purely  eager  Boolean  encoding  methods,  and  has  demonstrated 
their  advantages  over  lazy  techniques  for  specific  logics.  However,  eager  methods  suffer  two  limita¬ 
tions:  the  encoding  phase  can  be  a  performance  bottleneck,  and  it  is  harder  to  extend  these  methods 
for  new  theories.  I  believe  that  these  limitations  can  be  mitigated  by  an  integration  with  lazy  encod¬ 
ing  techniques,  for  two  reasons.  First,  when  very  little  first-order  reasoning  is  required  for  a  given 
problem  (e.g.,  if  propositional  reasoning  suffices  to  decide  unsatisfiability),  lazy  encoding  methods 
arc  extremely  effective.  Second,  lazy  methods  can  easily  build  upon  any  method  for  deciding  a 
combination  of  theories,  such  as  Nelson  and  Oppen’s  method  [109].  Some  ideas  on  integrating 
eager  and  lazy  algorithms  arc  incorporated  in  the  recent  paper  by  Ganzinger  et  al.  [60]. 

The  second  broad  direction  for  future  work  is  on  new  applications.  New  applications  exist  in  hard¬ 
ware  and  software  verification,  as  well  as  in  other  areas.  Software  security  seems  to  be  a  particularly 
rich  space  for  future  applications.  Finding  security  vulnerabilities  in  software  often  requires  reason¬ 
ing  about  data  in  addition  to  control,  and  theorem  proving  is  particularly  effective  at  analyzing  data- 
dependent  properties  of  systems.  Some  specific  near-term  applications  arc  malware  detection  [39] 
and  verifying  secure  information  flow  [130].  The  work  on  timed  circuits  described  in  this  thesis  can 
be  extended  to  other  systems  operating  under  timing  assumptions,  such  as  distributed  systems  and 
real-time  embedded  systems.  Finally,  automated  reasoning  in  expressive  logics  has  a  wide  range  of 
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potential  applications,  from  established  fields  like  constraint  programming  and  operations  research 
to  emerging  areas  like  systems  biology. 

Decision  procedures  will  continue  to  play  an  important  role  in  reasoning  about  the  reliability  and 
security  of  computer  systems.  Boolean  methods  can  be  exploited  to  build  decision  procedures  that 
scale  to  industrial-scale  problems.  The  theoretical  concepts  and  practical  techniques  presented  in 
this  thesis  form  a  foundation  for  future  work  on  leveraging  Boolean  reasoning  methods  for  richer 
logics. 


Appendix  A 


UCLID 


This  appendix  describes  the  syntax  and  semantics  of  the  specification  language  for  UCLID  version 
2.0,  along  with  some  of  the  verification  methods  that  arc  supported  in  UCLID. 

A.l  The  UCLID  Specification  Language 

We  present  the  semantics  informally  in  the  discussion  accompanying  the  description  of  each  syn¬ 
tactic  construct. 

The  syntax  of  UCLID  is  very  similar  to  the  input  language  of  the  CMU  version  of  the  SMV  model 
checker  [98].  However,  there  arc  several  differences,  and  we  will  point  these  out  where  necessary. 

A  specification  in  UCLID  is  divided  into  two  logical  sections.  The  first  paid  describes  the  model  of 
the  system  to  be  verified.  The  format  of  this  paid  is  very  similar  to  that  of  SMV.  The  second  paid, 
also  called  the  control  section  or  module,  specifies  how  the  symbolic  simulation  is  to  be  configured 
for  the  verification  task  at  hand.  One  can  view  this  latter  portion  as  comprising  of  commands  that 
one  might  ordinarily  type  at  the  cursor  of  an  interactive  tool. 

A.1.1  Format 

The  overall  format  of  a  UCLID  specification  is  as  follows: 

MODEL  <modelname> 


<typedef s> 
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<Global  Constants> 

<modules> 

<Control  module> 

<modelname>  denotes  the  name  of  the  specification  being  checked.  <typedef  s>  is  an  optional 
section  containing  type  definitions  of  user-defined  enumerated  types.  Constants  with  global  scope 
are  defined  in  the  following  <Global  Constants>  section.  This  is  followed  by  the  specification 
of  one  or  more  modules.  Each  module  has  five  subsections:  an  INPUT  section  that  has  declarations 
of  inputs  to  the  module,  a  VAR  section  for  declaring  state  variables  and  macro  variables,  a  CONST 
section  for  declaring  constants,  a  DEFINE  section  for  defining  macros,  and  a  ASSIGN  section 
for  defining  the  initial  state  and  state  transition  relation  of  the  module.  The  last  section  is  the 
<Control  module>  section.  This  includes  three  mandatory  subsections:  the  EXTVAR  section 
for  declaring  external  variables,  the  ST  ORE  VAR  section  for  declaring  storage  variables,  and  the 
EXEC  section  for  listing  the  commands  to  be  used  in  the  simulation.  The  optional  subsections  arc 
VAR,  CONST  and  DEFINE,  which  serve  the  same  function  as  for  ordinary  modules.  Note  that  the 
term  “MODEL”  is  somewhat  of  a  misnomer,  since  a  UCLID  specification  contains  both  the  model  as 
well  as  commands  to  run  the  simulation. 

A.1.2  Language  Overview 

Before  describing  the  language  in  detail,  we  present  a  simple  example  of  a  UCLID  specification. 
Consider  the  example  of  a  traffic  light  that  changes  based  on  the  value  of  an  internal  timer,  as  shown 
in  figure  A.  1. 


timer  =  5 


Ligure  A.  1 :  A  timed  traffic  light 


The  UCLID  specification  of  this  system  is  given  below: 
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MODEL  timedSignal 

typedef  signal  :  enum{red,  yellow,  green}; 


MODULE  trafficLight 

INPUT 

VAR 

(*  state  variables  *) 
light  :  signal; 
timer  :  TERM; 

(*  macro  variables  *) 

FIVE  :  TERM; 

TEN  :  TERM; 

TWELVE  :  TERM; 

CONST 

DEFINE 

FIVE  :=  succ" 5 ( ZERO) ; 

TEN  :=  succ'5 (FIVE) ; 

TWELVE  :=  succ~2 (TEN) ; 

ASSIGN 

init [light]  :=  red; 
next [light]  :=  case 

(light  =  red)  &  (timer  <  FIVE)  :  red; 

(light  =  red)  &  (timer  =  FIVE)  :  green; 

(light  =  green)  &  (timer  <  TEN)  :  green; 

(light  =  green)  &  (timer  =  TEN)  :  yellow; 

(light  =  yellow)  &  (timer  <  TWELVE)  :  yellow; 
(light  =  yellow)  &  (timer  =  TWELVE)  :  red; 
default  :  light; 
esac; 

init [timer]  :=  ZERO; 
next [timer]  :=  case 

(light  =  yellow)  &  (timer  =  TWELVE)  :  ZERO; 
default  :  succ (timer) ; 
esac; 

(* -  CONTROL  MODULE  - *) 

CONTROL 
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EXTVAR 

STORE VAR 

initRedCondition  :  TRUTH; 

VAR 

redCondition  :  TRUTH; 

CONST 

DEFINE 

redCondition  :=  (traff icLight . light  =  red)  => 

(traff icLight . timer  <=  traff icLight . FIVE) ; 


EXEC 

initRedCondition  :=  redCondition; 

print (traff icLight . light) ; 

decide (initRedCondition) ; 

simulate ( 1 ) ; 

decide (redCondition)  ; 

simulate ( 1 )  ; 

decide (redCondition) ; 

simulate  ( 1 ) ; 

decide (redCondition) ; 

A  traffic  signal  is  modeled  as  a  enumerated  type  with  three  values.  Constants  in  UCLID  can  be 
Boolean,  integer,  of  enumerated  type,  or  uninterpreted  symbols  (we  refer  to  such  uninterpreted 
symbols  as  symbolic  constants).  In  particular,  the  keyword  ZERO  refers  to  the  integer  constant 
0.  Within  the  module  traff  icLight,  the  VAR  and  CONST  segments  consist  of  variable  and 
constant  declarations  respectively.  Variables  and  constants  declared  here  have  names  local  to  the 
module;  however,  these  identifiers  may  be  referenced  anywhere  outside  the  module  by  prefixing  the 
identifier  with  the  name  of  the  module  followed  by  a  The  DEFINE  segment  has  the  same  role  as 
in  CMU  SMV  -  it  is  used  to  define  “macros”  for  commonly  occurring  shared  sub-expressions.  The 
ASSIGN  segment  consists  of  assignments  of  initial  values  to  state  variables  and  specifications  of 
the  next  state  functions.  The  case  expression  is  used  for  conditional  assignments,  just  as  in  SMV. 

The  main  syntactic  additions  (to  the  SMV  style)  illustrated  in  this  example  include  the  successor 
function  symbol(succ),  and  the  CONTROL  module.  The  condition  redCondition,  defined  in 
the  control  module,  checks  that  the  timer  in  the  red  state  is  always  less  than  5.  We  can  easily  see  that 
this  condition  is  always  true  for  the  specified  model.  The  storage  variable  initRedCondition 
is  used  to  store  the  initial  value  of  this  condition.  In  the  above  example,  bounded  model  checking 
has  been  used  to  check  the  validity  of  redCondition  for  3  steps.  A  print  command  is  used  to 
print  the  initial  value  of  the  state  variable  traff  icLight .  light.  Note  that  the  storage  variable 
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is  unnecessary  in  this  example;  the  formula  stored  in  initRedCondition  may  be  decided  by 
inserting  a  decide  (redCondition)  statement  before  the  first  simulate  command. 

A.1.3  Keywords  and  Lexical  Conventions 

The  lexical  analyzer  of  UCLID  is  case-sensitive.  The  following  alphabetic  strings  arc  reserved 
keywords(some  arc  reserved  for  future  use). 

MODEL  CONTROL  EXTVAR  STOREVAR  EXEC  typedef  enum  initialize  simulate 
decide  print  printexpr  FORALL  MODULE  INPUT  VAR  of  CONST  DEFINE  ASSIGN 
SPEC  TERM  TRUTH  FUNC  PRED  ZERO  succ  pred  case  esac  default  init  next  Lambda 
EXISTS  verify  model  define  if  then  else  for  endfor  while  do  switch 
array  vector  process  function  module  procedure  include  boolean 
integer  signal  input  output  OUTPUT  local  in  end  assert  prove 

Names  of  identifiers  (state  variables,  macro  variables,  constants  of  all  types)  may  be  any  sequence 
of  symbols  in  {A-Z ,  a-z ,  0-9 ,  _}  beginning  with  an  alphabetic  character.  Space,  newline  and  tab 
arc  white  spaces  and  arc  ignored.  UCLID  has  ML-style  comments,  where  the  comment  is  enclosed 
begins  with  “(*”  and  ends  with  “*)”.  Nesting  of  comments  is  allowed. 

While  describing  syntax  in  the  discussion  that  follows,  we  will  enclose  within  quotes  all  strings 
recognized  as  tokens  by  the  parser.  Identifiers  will  be  denoted  by  the  strings  “id”,  “idO”,  “idl”,  etc. 

A.  1.4  Data  Types  and  Type  Declarations 

There  arc  six  classes  of  data  types  in  UCLID,  as  listed  below: 

1.  TRUTH,  the  Boolean  data  type; 

2.  TERM,  the  integer  data  type  (uninterpreted  function  symbols  of  arity  0); 

3.  FUNC,  the  data  type  for  uninterpreted  function  symbols  of  arity  greater  than  0.  Functions  of 
this  type  take  arguments  of  type  TERM  and  return  a  value  of  type  TERM; 

4.  PRED,  the  data  type  for  uninterpreted  predicate  symbols  of  arity  greater  than  0.  Predicates 
of  this  type  take  arguments  of  type  TERM  and  return  a  value  of  type  TRUTH; 

5.  Enumerated  Types,  which  arc  C-style  enumerated  types; 

6.  Functions  returning  enumerated  types. 
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Enumerated  types  arc  the  only  user-defined  types  in  UCLID.  They  must  be  declared  at  the  very 
beginning  of  the  UCLID  specification  using  a  typedef  declaration,  as  given  below: 

type_decl  ::=  "typedef"  idO 

"enum"  idl  ...  idn 

An  example  is  illustrated  below: 

typedef  signal  :  enum{red,  yellow,  green}; 

The  scope  of  typedef  declarations  is  global.  A  typedef  declaration  is  mandatory  for  each 
enumerated  type.  After  the  typedef  declaration,  the  enumerated  type  is  to  be  referred  by  the  type 
defined  in  that  declaration. 

Variable  and  constant  declarations  are  made  in  INPUT,  VAR,  or  CONST  sections.1  Types  have  the 
syntax 

type  : :=  "TERM"  |  "TRUTH"  |  "FUNC"  "["  integer  "]" 

|  "PRED"  "["  integer  "]"  |  id 

|  "FUNC"  "["  integer  "]"  "of"  id 

Consider  the  following  examples.  Identifiers  of  type  TERM  and  TRUTH  are  declared  in  a  straight¬ 
forward  manner  as  shown  below: 

foo  :  TRUTH; 
bar  :  TERM; 

Lor  functions  and  predicates,  in  additional  to  declaring  the  type,  the  user  must  also  declare  the  arity. 
Lor  functions  returning  an  enumerated  type,  the  enumerated  type  is  also  specified.  In  the  examples 
below,  f  is  a  function  of  10  arguments,  p  is  a  predicate  of  4  arguments,  and  many  Signal  Lights 
is  a  function  of  one  argument  that  returns  the  type  signal. 

f  :  FUNC  [10]; 
p  :  PRED [ 4 ] ; 

manySignalLights  :  FUNC[1]  of  signal; 

Identifiers  of  type  FUNC  or  PRED  are  useful  in  modeling  arrays,  lookup  tables  or  memories,  queues 
and  similar  data  structures,  using  lambda  expressions,  as  described  in  Chapter  7. 

'External  and  storage  variables  are  also  declared  in  a  similar  fashion,  but  we  will  deal  with  these  separately  in  sec¬ 
tion  A.  1.12. 
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Note  that  a  function  and  a  predicate  of  arity  0  may  also  be  defined;  however,  in  general,  these  do 
not  always  behave  the  same  as  if  they  were  defined  as  TERM  and  TRUTH  respectively.  Functions  or 
predicates  of  arity  0  arc  best  defined  as  having  TERM,  TRUTH,  or  an  enumerated  type,  as  necessary. 

A.1.5  Constants 

UCLID  constants  arc  of  two  kinds:  primitive  constants,  and  symbolic  constants.  Primitive  constants 
arc  either  of  type  TRUTH  or  of  enumerated  type.  The  primitive  constants  of  type  TRUTH  arc  1  and 
0.  There  is  only  one  primitive  constant  of  type  TERM:  ZERO,  standing  for  the  integer  constant  0. 
Primitive  constants  of  an  enumerated  type  E  arc  the  values  in  the  set  specified  in  the  type  declaration 
for  E.  Primitive  constants  do  not  have  to  be  declared  in  a  CONST  declaration. 

All  constants  other  than  primitive  constants  arc  symbolic.  In  UCLID  version  2.0,  there  can  be 
no  symbolic  constants  of  enumerated  type,  or  of  a  FUNC  type  that  returns  enumerated  type.  All 
symbolic  constants  must  be  declared  in  a  CONST  declaration,  either  globally  or  within  a  module. 

The  syntax  of  a  CONST  declaration  is  as  follows: 

const_decl  ::=  "CONST" 

idl  ":"  typel 
id2  ":"  type2  ";" 


Examples  of  CONST  declarations  arc  given  below: 

CONST 

bO  :  TRUTH;  (*  symbolic  Boolean  constant  *) 

TO  :  TERM;  (*  symbolic  constant  of  type  TERM  *) 

fO  :  FUNC[3];  (*  symbolic  constant  of  type  FUNC  and  arity  3  *) 

A.1.6  Input  Variables 

Inputs  to  a  module  must  be  declared  in  the  INPUT  section  of  the  module.  Variables  declared  in  this 
manner  arc  called  input  variables. 

Input  variables  are  typically  used  to  provide  inputs  to  a  module  from  the  CONTROL  module,  where 
the  value  of  the  input  signal  in  a  given  step  may  be  controlled  by  the  user.  An  input  variable  for 
module  M  might  also  be  a  variable  in  another  module  M'  that  M  references;  the  declaration  is 
needed  only  if  M  precedes  M'  in  the  file. 

The  syntax  of  an  INPUT  declaration  is  as  follows: 
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input_decl 


"INPUT" 

idl  typel 

id2  type2 


UCLID  version  2.0  does  not  support  instantiation  of  modules  within  another  module.  We  plan  to  im¬ 
plement  this  in  the  next  version,  and  that  will  make  different  use  of  the  INPUT  section  (substituting 
actual  arguments  for  formal  arguments). 

A.1.7  State  Variables 

A  state  of  a  UCLID  model  is  an  assignment  of  values  to  state  variables. 

The  state  variables  of  each  module  arc  declared  in  the  VAR  section  of  that  module.  A  state  variable 
may  be  of  any  of  the  six  kinds  of  types  discussed  in  section  A.  1.4.  The  syntax  of  a  state  variable 
declaration  is  as  follows 

var_decl  ::=  "VAR" 

idl  typel 

id2  type2 


In  addition,  to  state  variables,  auxiliary  and  macro  variables  may  be  used  to  improve  readability  of 
the  specification,  and  in  verification.  These  variables  must  also  be  declared  in  a  VAR  declaration. 
They  arc  typically  defined  in  the  DEFINE  section. 

A.1.8  Macro  Definitions 

The  DEFINE  section  of  a  module  is  used  to  define  macros,  especially  for  shared  subexpressions,  so 
as  to  improve  readability.  The  syntax  of  a  DEFINE  declaration  is  as  follows 

defines  ::=  "DEFINE" 

idl  exprl 

id2  expr2 


Whenever  any  identifier  that  appeal's  on  the  left  hand  side  (LHS)  of  a  DEFINE  statement  appeal's 
in  an  expression  subsequent  to  its  definition,  it  is  replaced  by  the  expression  on  the  right  hand  side 
(RHS)  of  its  DEFINE  statement.  It  is  an  error  to  use  a  DEFINE  identifier  before  its  definition; 
circular  definitions  will  also  result  in  an  error. 


A.l.  THE  UCLID  SPECIFICATION  LANGUAGE 


111 


The  RHS  of  a  DEFINE  statement  is  an  expression  whose  syntax  is  defined  in  section  A.  1.10. 

A.1.9  State  Assignments  and  the  Transition  Relation 

The  initial  state  assignment  and  the  transition  relation  for  state  variables  within  a  module  arc  defined 
in  the  ASSIGN  section. 

The  syntax  of  an  ASSIGN  declaration  is  as  follows 
assigns  : :=  "ASSIGN" 

lvall 
lval2  " : 

lval  ::=  "init"  "["  id  "]"  |  "next"  "["  id  "]" 

Notice  that  UCLID  syntax  differs  from  SMV  syntax  in  that  we  use  square  brackets  instead  of  paren¬ 
theses  with  the  init  and  next  strings. 

An  l-value,  denoted  above  by  lval,  denotes  either  the  initial  state  value  of  a  state  variable  v  (written 
init  [  v] ,  or  the  next  state  value  of  v  (written  next  [  v] ).  The  expression  on  the  RHS  of  an  init 
assignment  is  evaluated  prior  to  the  simulation’s  run-time,  and  assigned  to  be  the  initial  value  of 
the  state  variable  referenced  on  the  LHS.  For  a  next  assignment,  the  expression  is  evaluated  as  the 
simulation  is  run,  and  will  be  the  next  state  value  of  the  state  variable  referenced  on  the  LHS. 

Expressions  on  the  RHS  of  a  next  state  assignment  of  a  variable  may  reference  the  next  state  values 
of  other  state  variables.  It  is  therefore  possible  to  have  a  combinational  dependency  amongst  state 
variables  arising  from  next  state  assignments.  The  UCLID  interpreter  extracts  these  dependencies 
automatically  and  evaluates  the  state  variables  in  a  suitable  order.  Circular'  dependencies  are  reported 
as  errors;  the  interpreter  in  UCLID  version  2.0  does  not  reproduce  the  dependencies  in  case  of  an 
error.  The  RHS  of  an  initial  state  assignment  may  include  other  state  variables,  but  no  combinational 
dependencies  are  resolved,  and  if  one  arises,  it  is  reported  as  a  compile-time  error.  If  the  initial  or 
next  state  of  a  state  variable  is  assigned  more  than  once,  the  last  assignment  is  the  only  one  that 
applies. 

A.l. 10  Expressions 

Expressions  in  UCLID  are  generated  according  to  the  following  syntax: 

expr  : :=  simple-expr 


="  exprl 
="  expr 2 
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|  case-expr  /*  Case  expression  */ 

|  nondet-expr  /*  Nondeterministic  expression  */ 

simple-expr  ::=  truth-expr  /*  Truth  expression  */ 

|  term-expr  /*  Term  expression  */ 

|  enum-expr  /*  Enum  type  expression  */ 

|  func-expr  /*  Function  expression  */ 

|  enum-fexpr  /*  Enum  type  Function  expression  */ 

|  pred-expr  /*  Predicate  expression  */ 

Note  that  parentheses  can  always  be  put  around  expressions,  except  for  case-expressions  and  nonde¬ 
terministic  expressions,  which  don’t  need  any.  Parentheses  also  cannot  be  placed  around  FORALL 

expressions,  which  are  introduced  in  Section  A.  1.12. 

Truth  expressions 

Truth  expressions  or  Boolean  expressions,  have  type  TRUTH.  Their  syntax  is  as  follows: 

truth-expr  ::=  1  |  0  /*  primitive  Boolean  constants  */ 

|  id  /*  symbolic  Boolean  constant  or  variable  */ 

|  "next"  "["  id  "]" 

/*  Next  state  value  of  state  variable  */ 

|  truth-exprl  /*  Not  */ 

|  truth-exprl  "&"  truth-expr2  /*  And  */ 

|  truth-exprl  " | "  truth-expr2  /*  Or  */ 

|  truth-exprl  "=>"  truth-expr2  /*  Implication  */ 

|  truth-exprl  "<=>"  truth-expr2  /*  Equivalence  */ 

|  term-exprl  "="  term-expr2  /*  Equality  */ 

|  term-exprl  "!="  term-expr2  /*  Not-equality  */ 

|  enum-exprl  "="  enum-expr2  /*  Equality  */ 

|  enum-exprl  "!="  enum-expr2  /*  Not-equality  */ 

|  term-exprl  "<"  term-expr2  /*  Less  than  */ 

|  term-exprl  ">"  term-expr2  /*  Greater  than  */ 

|  term-exprl  "<="  term-expr2  /*  Less  than  or  Equal  */ 

|  term-exprl  ">="  term-expr2  /*  Greater  than  or  Equal  */ 

|  pred-expr  "("  term-exprl  term-expr2  ... 

term-exprn  ")"  /*  Predicate  application  */ 

The  precedence  of  logical  and  relational  operators  is  given  below,  from  highest  to  lowest  precedence. 
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<,  >,  <=,  >= 


=>  <=> 

All  operators  of  equal  precedence  associate  to  the  left,  except  for  =>,  which  associates  to  the  right. 

Term  expressions 

Term  expressions  have  type  TERM;  they  may  be  viewed  as  integers,  although  there  arc  no  primitive 
integer  constants  defined.  Their  syntax  is  as  follows: 

term-expr  ::=  id  /*  symbolic  constant  or  variable  */ 

|  "next"  "["  id  "]" 

/*  Next  state  value  of  state  variable  */ 

|  "ZERO"  /*  the  integer  constant  0  */ 

|  "succ"  "("  term-expr  ")"  /*  term-expr  +  1  */ 

|  "pred"  "("  term-expr  ")"  /*  term-expr  -  1  */ 

|  "succ''"  k  "("  term-expr  ")" 

/*  term-expr  +  k,  for  constant 
positive  integer  k  */ 

|  "pred'"  k  "("  term-expr  ")" 

/*  term-expr  -  k,  for  constant 
positive  integer  k  */ 

|  term-exprl  "+"  term-expr2  /*  integer  addition  */ 

|  term-exprl  term-expr2  /*  integer  subtraction  */ 

|  k  term-expr  /*  multiplication  by  a  positive  integer 

constant  k  */ 

|  func-expr  "("  term-exprl  term-expr2  ... 

term-exprn  ")"  /*  Function  application  */ 


Enumerated  type  expression 

Enumerated  type  expressions  evaluate  to  a  user-defined  enumerated  type;  their  syntax  is  very  similar 
to  that  of  term  expressions. 

enum-expr  ::=  id  /*  primitive  constant  or  variable  */ 
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|  "next"  "["  id  "]" 

/*  Next  state  value  of  state  variable  */ 

|  enum-fexpr  "("  term-exprl  term-expr2  ... 

term-exprn  ")"  /*  Enum  Function  application 


Function  expressions 

Function  expressions  evaluate  to  functions  that  take  arguments  of  type  TERM  and  return  values  of 
type  TERM.  A  powerful  feature  of  UCLID  is  to  be  able  to  define  functions  whose  body  changes  over 
steps.  This  allows  functions  to  model  memories,  queues,  lists  and  other  useful  data  structures. 

func-expr  ::=  id  /*  symbolic  constant  or  variable  */ 

|  "next"  "["  id  "]" 

/*  Next  state  value  of  state  variable  */ 

|  "Lambda"  "."  "("  idl  id2  ...  idn 

")"  term-expr 

The  list  of  arguments  to  the  Lambda  operator  must  have  at  least  one  element.  Also,  the  arguments 
to  a  Lambda  must  be  declared  as  symbolic  constants.  Both  of  these  hold  good  for  the  Lambda 
operator  in  sections  A.  1.10  and  A.  1.10. 

Function  expressions  returning  enum  type 

Function  expressions  that  take  arguments  of  type  TERM  and  return  values  of  a  user-defined  enumer¬ 
ated  type  arc  also  very  useful. 

enum-fexpr  ::=  id  /*  symbolic  constant  or  variable  */ 

|  "next"  "["  id  "]" 

/*  Next  state  value  of  state  variable  */ 

|  "Lambda"  "."  "("  idl  ","  id2  ...  idn 

")"  enum-expr 


Predicate  expressions 

Predicate  expressions  evaluate  to  functions  that  take  arguments  of  type  TERM  and  return  values  of 
type  TRUTH.  Using  the  ability  of  UCLID  to  express  lambda  expressions,  we  can  build,  for  example, 
predicate  expressions  that  represent  boolean  state  tables  of  arrays  of  processes. 
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pred-expr  ::=  id  /*  symbolic  constant  or  variable  */ 

|  "next"  "["  id  "]" 

/*  Next  state  value  of  state  variable  */ 

|  "Lambda"  "."  "("  idl  ","  id2  ...  ","  idn 
")"  truth-expr 

N  ondeterminism 

The  UCLID  syntax  allows  for  expressions  that  evaluate  to  sets  of  values.  Internally,  fresh  symbolic 
Boolean  constants  arc  generated  to  encode  sets  of  values  as  an  “if-then-else”  expression  conditioned 
on  the  values  of  these  constants.  These  fresh  Boolean  constants  have  names  of  the  form  _pN  where 
N  is  a  natural  number,  and  sometimes  get  assigned  values  in  a  counterexample. 

The  syntax  of  nondeterministic  expressions  is  as  follows: 

nondet-expr  ::=  "{"  simple-exprl  simple-expr2  ... 

simple-exprn  " } " 

Case  expressions 

Conditional  assignments  arc  made  using  case  expressions.  The  syntax  of  a  case  expression  is  as 
follows. 

case-expr  ::=  simple-case-expr 
|  lambda-case-expr 

simple-case-expr  ::=  "case" 

truth-exprl  gen-exprl 

truth-expr2  gen-expr2 

default  gen-exprn 

"esac" 

lambda-case-expr  ::=  "Lambda"  "("  idl  id2  ...  idm  ")" 

" case " 

truth-exprl  gen-exprl 

truth-expr2  gen-expr2 

default  gen-exprn 
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"esac" 

gen-expr  :  :=  truth-expr 
|  term-expr 
|  enum-expr 

|  "{"  truth-exprl  ...  truth-exprn  "}" 

|  "{"  term-exprl  ...  term-exprn 

|  "{"  enum-exprl  ...  enum-exprn 

Note  that  we  use  the  C-style  default  for  the  last  item  in  the  case  as  opposed  to  the  SMV-style  1. 
Nesting  of  case  expressions  is  not  allowed. 

A.1.11  Modules 

A  module  is  used  to  collect  together  related  state  variables  and  associated  constants,  macro  defini¬ 
tions  and  state  assignments.  UCLID  version  2.0  has  limited  module  support,  and  provides  essen¬ 
tially  two  features.  First,  we  allow  local  naming,  where  variables  with  same  names  can  be  declared 
in  different  modules.  Second,  we  also  allow  the  use  of  input  signals  from  other  modules,  including 
the  Control  module.  This  latter  feature  allows  the  user  to  configure  a  simulation  as  needed.  Note 
that  UCLID  version  2.0  does  not  allow  one  to  instantiate  modules  within  other  modules. 

The  syntax  of  a  module  definition  (other  than  the  Control  module)  is  as  follows: 

module  ::=  "MODULE"  id 
"INPUT" 

...  /*  input  variable  declarations  */ 

"VAR" 

...  /*  state  variable  and  macro  declarations  */ 
"CONST" 

...  /*  symbolic  constant  declarations  */ 

"DEFINE " 

...  /*  macro  definitions  */ 

"ASSIGN" 

...  /*  state  variable  assignments  */ 

A.1.12  The  Control  Module 

The  Control  module  allows  the  user  to  configure  the  symbolic  simulation  for  the  verification  task  at 
hand.  In  section  A.2,  we  describe  some  of  the  verification  techniques  that  UCLID  can  be  used  for, 
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and  how  the  Control  module  can  be  used  for  those  techniques. 

The  syntax  of  the  Control  module  is  as  follows: 

control  : :=  "CONTROL" 

"EXT VAR" 

...  /*  external  variable  declarations  */ 

"STOREVAR" 

...  /*  storage  variable  declarations  */ 


"VAR" 

"CONST" 


/*  macro  variable  declarations  */ 

/*  symbolic  constant  declarations  */ 


"DEFINE" 

...  /*  macro  definitions  */ 

"EXEC" 

...  /*  simulator  commands  */ 

The  VAR,  CONST  and  DEFINE  segments  of  the  Control  module  serve  exactly  the  same  purpose 
as  for  any  other  module,  and  have  the  same  syntax.  The  VAR,  CONST  and  DEFINE  sections  arc 
optional.  The  VAR  segment  will  not  contain  any  declarations  for  state  variables  as  there  arc  no  state 
variables  in  the  Control  module. 


External  Variables 

In  symbolic  simulation,  the  user  might  sometimes  wish  to  control  the  value  a  state  variable  takes  at 
a  specific  step.  For  example,  in  correspondence  checking  using  the  method  pioneered  by  Burch  and 
Dill,  one  side  of  the  commutative  diagram  is  a  simulation  that  first  performs  flushing,  projection,  and 
then  executes  a  step  of  the  specification  machine,  while  the  other  side  of  the  diagram  first  executes  a 
step  of  the  implementation  machine,  and  then  performs  flushing.  In  this  case,  the  flush  signal  needs 
to  take  on  specific  values  at  specific  steps,  and  these  steps  arc  different  depending  upon  which  side 
of  the  commutative  diagram  we  arc  trying  to  simulate. 

The  external  variable  is  a  feature  of  UCLID  that  addresses  this  problem.  An  external  variable  is  a 
user-controlled  input  to  the  system  that  can  be  assigned  specific  values  at  specific  steps.  An  external 
variable  declaration  includes,  in  addition  to  the  type  declaration,  an  assignment  of  the  default  value 
that  the  variable  takes,  as  shown  here: 

extvar_decl  ::=  "EXTVAR" 

idl  typel  exprl 
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id2  type2  expr2 


External  variables  arc  also  declared  as  inputs  to  modules  before  they  arc  declared  in  the  Control 
module  (however,  when  they  arc  declared  as  inputs,  no  default  value  is  assigned).  It  is  an  error  to 
declare  an  external  variable  that  is  not  an  input  to  any  module. 

The  value  of  an  external  variable  at  step  i  is  used  in  the  simulation  at  step  i  +  1.  For  example,  for 
external  variable  flush,  the  assignment 

flush  [3]  :=  0; 

means  that  the  value  of  flush  used  in  the  fourth  step  of  simulation  is  0. 

External  variables  find  use  in  verification  tasks  where  the  values  of  variables  at  certain  steps  must 
be  user-specified,  such  as  in  correspondence  checking.  For  example,  they  arc  used  in  the  flushing 
operation  for  verifying  pipelined  processor  designs  by  the  Burch-Dill  method  [34]. 

Storage  Variables 

During  symbolic  simulation,  one  might  wish  to  store  intermediate  values  of  variables  and  expres¬ 
sions  for  later  reference.  Storage  variables  serve  precisely  this  purpose. 

The  syntax  of  a  storage  variable  declaration  is  as  follows: 

storevar_decl  ::=  "STOREVAR" 

idl  typel 

id2  " : "  type2  " ; " 


Commands  and  Assignments 

The  EXEC  section  of  the  Control  module  contains  4  kinds  of  commands  and  two  kinds  of  assign¬ 
ments.  The  syntax  of  an  EXEC  section  is  as  follows: 

exec  : :=  "EXEC" 

stmt  1 
stmt 2 

stmt  ::=  "simulate"  "("  integer  ")"  /*  Simulate  command  */ 
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|  "initialize"  /*  Re-initialize  all  state  */ 

|  "decide"  "("  gen-truth-expr  ")"  /*  Decide  command  */ 

|  "print"  "("  id  ")"  /*  Print  the  value  of  a  state  variable  */ 

|  "print"  "("  string  ")"  /*  Print  any  arbitrary  string 

enclosed  in  double  quotes  */ 

|  "printexpr"  "("  expr  ")"  /*  Print  the  value  of  an  expr  */ 

|  id  expr  /*  Storage  variable  assignment  */ 

|  id  "["  integer  "]"  expr 

/*  external  variable  assignment  */ 

The  simulate  command  takes  an  integer  argument  k  that  specifies  the  number  of  steps  the  sym¬ 
bolic  simulation  is  to  be  run  for,  and  simulates  the  system  for  k  steps.  The  initialize  command 
re-initializes  all  state  variables  in  the  system  to  their  initial  value.  This  is  useful,  for  instance,  while 
doing  correspondence  checking. 

The  decide  command  takes  as  argument  a  “generalized”  truth-expression.  The  syntax  of  this  gener¬ 
alized  truth  expression  is  given  below: 

gen-truth-expr  ::=  truth-expr 

|  f orall-truth-expr  "=>"  truth-expr 
|  f orall-truth-exprl  "=>"  f orall-truth-expr2 

f orall-truth-expr  ::=  "FORALL"  "("  idl  id2  ...  idn  ")" 

truth-expr 

A  generalized  truth  expression  is  either  an  ordinary  truth-expression,  as  introduced  in  section  A.  1 . 10, 
or  an  expression  of  the  form  A  =>  C  where  the  antecedent  A  has  some  variables  (of  type  TERM) 
universally  quantified,  while  the  consequent  C  may  or  may  not  have  universally  quantified  variables 
(of  type  TERM).  The  list  of  arguments  to  the  FORALL  operator  must  have  at  least  one  element.  We 
will  describe  how  this  syntactic  feature  is  used  in  section  A.2. 

UCLID  version  2.0  provides  two  commands  for  printing:  print  and  printexpr.  The  print  command 
has  two  valiants.  The  first  allows  one  to  print  the  value  of  any  state  variable  at  any  step.  The  second 
allows  the  user  to  print  an  arbitrary  string  enclosed  in  double  quotation  marks,  primarily  for  pretty 
formatting  of  the  output.  The  printexpr  command  allows  one  to  print  the  value  of  any  expression 
(respecting  the  syntax  of  expr)  at  the  current  simulation  step. 

The  size  of  the  output  generating  by  printing  the  values  of  state  variables  and  expressions  produces 
blows  up  very  quickly  as  the  number  of  simulation  steps  increases;  we  therefore  strongly  discourage 
printing  state  variables  and  expressions  after  a  very  large  number  of  simulation  steps  unless  they  are 
known  to  be  small. 
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Assignments  to  storage  variables  arc  similar  to  macro  definitions.  The  storage  variable  name  appeal's 
on  the  LHS  of  the  assignment,  and  it  can  be  assigned  an  expression  of  its  type.  Assignments  to 
external  variables  also  need  to  specify  the  step  of  simulation  the  RHS  expression  is  to  be  evaluated 
at.  At  that  step,  the  expression  is  evaluated  and  the  value  is  used  wherever  the  external  variable  is 
used.  The  natural  number  specifying  the  simulation  step  is  written  in  square  brackets  on  the  LHS 
next  to  the  external  variable  name. 


A.2  Verification  with  UCLID 

UCLID  version  2.0  can  be  used  with  several  verification  methods,  as  was  briefly  described  in  Sec¬ 
tion  7.3.  We  describe  the  more  commonly  used  techniques  in  this  section  using  the  language  con¬ 
structs  introduced  in  Section  A.  1.  Using  the  primitive  constructs  described  in  Section  A.l,  the  user 
can  easily  develop  techniques  based  on  symbolic  simulation  other  than  those  listed  below. 

Bounded  Model  Checking 

Plain  symbolic  simulation  or  bounded  model  checking  can  be  done  by  simply  running  the  simu¬ 
late  command,  specifying  the  number  of  steps  as  an  argument.  The  decide  command  can  then 
be  used  to  check  the  validity  of  a  property  of  interest  in  a  given  state.  This  can  be  a  very  useful 
bug-finding  tool. 

Bounded  model  checking  can  be  used  to  check  safety  properties  (state  invariants)  for  a  bounded 
number  of  simulation  steps.  If  the  property  does  not  hold  for  any  state,  UCLID  generates  a  coun¬ 
terexample  that  can  be  used  to  generate  a  trace  showing  how  the  bug  may  be  exploited.  However,  if 
the  property  holds  for  all  states  in  the  simulation,  we  cannot  make  any  assertions  about  whether  it 
will  continue  to  hold  for  future  steps. 

Limited  checking  of  liveness  properties  is  also  possible.  For  example,  if  we  wish  to  check  if  a 
process  releases  a  lock  eventually  (stalling  from  an  initial  state)  and  if  the  symbolic  simulation 
leads  to  such  a  state,  then,  we  can  assert  that  the  property  does  indeed  hold.  However,  we  cannot 
find  counterexamples  for  such  a  liveness  property  (if  it  does  not  hold  on  a  truncated  run). 

The  example  in  section  A.  1 .2  illustrates  the  use  of  UCLID  for  bounded  model  checking.  In  bounded 
model  checking,  all  state  variables  are  initialized  to  their  initial  state  values  using  the  in  it  state¬ 
ment.  To  check  the  validity  of  safety  properties  of  interest  after  each  step  of  simulation,  the  user 
inserts  decide  commands  after  the  corresponding  simulate  commands.  If  the  formulas  are 
valid  at  each  step  up  to  k  steps  stalling  from  an  initial  state  s  o,  then  the  safety  property  of  interest 
holds  for  the  first  k  steps  stalling  from  s  o-  We  have  found  bounded  model  checking  to  be  useful  in 
catching  bugs,  especially  as  a  first  step  before  trying  to  verify  the  system  using  techniques  such  as 
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correspondence  checking  or  inductive  invariant  checking. 

Correspondence  Checking 

Correspondence  checking  involves  simulating  two  different  sides  of  a  commutative  diagram  and 
checking  the  validity  of  the  property  of  interest  at  the  end  [34,  158].  Thus,  the  outline  of  the  verifi¬ 
cation  task,  as  specified  in  the  Control  module  of  a  UCLID  specification,  will  be  as  follows: 

1 .  Assign  values  of  external  variables  at  specific  steps  in  the  simulation,  using  external  variable 
assignments. 

2.  Run  the  simulation  for  one  side  of  the  diagram,  using  the  simulate  command. 

3.  Save  the  values  of  relevant  state  variables  using  storage  variables. 

4.  Re-initialize  to  the  start  state,  using  the  initialize  command. 

5.  (Re-)Assign  values  of  external  variables  at  different  steps. 

6.  Run  the  simulation  for  the  other  side  of  the  diagram. 

7.  (Optional)  Save  the  values  of  relevant  state  variables  in  storage  variables. 

8.  Construct  a  formula  for  the  property  of  interest,  and  check  its  validity  by  using  the  decide 
command. 

Deductive  Verification 

Another  verification  technique  that  UCLID  can  be  used  on  is  to  prove  the  inductive  invariant  of 
a  system.  In  this  technique,  the  stalling  state  is  initialized  to  a  most  general  state.  The  system  is 
symbolically  simulated  for  one  step.  Then,  a  property  of  the  form  Inv  =>  Next(Inv)  is  checked, 
where  Inv  denotes  a  formula  for  the  invariant  property  we  wish  to  verify,  and  Next(Inv)  is  its 
next-state  version. 

In  general,  the  property  Inv  will  need  to  be  augmented  by  several  other  auxiliary  invariants,  just  as 
is  often  the  case  in  theorem  proving.  The  user  has  to  come  up  with  “lemmas”  to  prove  the  inductive 
invariant,  but  the  process  of  checking  the  validity  of  these  lemmas  is  entirely  automatic.  The  UCLID 
counterexample  generator  is  very  useful  in  providing  hints  for  lemmas. 
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Quantifiers  and  Antecedent  Instantiation 

Formulas  that  arc  checked  for  validity  using  the  decide  command  arc  formulas  in  the  CLU  logic. 
This  logic  can  express  any  property  in  quantifier-free  first  order  logic  involving  counter  arithmetic.  It 
is  often  the  case  that  properties  of  interest  involve  quantifiers.  In  particular,  many  properties  involve 
the  use  of  the  universal  (V)  quantifier.  UCLID  version  2.0  provides  limited  support  for  specifying 
properties  with  universal  quantifiers. 

There  arc  three  classes  of  quantified  formulas  that  UCLID  version  2.0  can  handle: 

1.  Universal  Quantification  on  the  outside  of  a  quantifier-free  formula:  The  general  form  of  a 
property  of  this  kind  is 

,4) 

where  2, ...  ,  4)  is  an  arbitrary  formula  in  CLU  where  the  ij s  have  type  TERM.  Since 

a  universally  quantified  formula  is  valid  if  and  only  if  the  a  formula  without  the  quantifiers 
is  valid  (i.e.,  a  formula  in  which  the  ij s  appeal-  free),  this  case  can  be  expressed  by  simply 
dropping  the  quantifiers,  and  expressing  the  quantifier-free  formula  in  UCLID  syntax. 

For  example,  consider  the  formula  below: 

V*-Vj.(*  j )  =>  (/(*)  f{j)) 

This  can  be  expressed  in  UCLID  syntax  quite  simply  as 

(1  !  =  j)  =>  (f  (i)  !  =  f  (j)  ) 

We  have  found  that  most  properties  fall  under  this  case. 

2.  Universal  Quantification  only  over  variables  appearing  in  the  antecedent:  The  general  form 
of  a  formula  p  of  this  kind  is 

(V«i-V«2  -  -  -  *2,  -  -  -  ,4))  =>  C 

where  A(*i,*2*  •  •  ■  ,4)  and  C  are  arbitrary  formulas  in  CLU,  and  i  1,  *2*  ■ « *  ,4  do  not  appear 
free  in  C. 

Notice  that  by  pulling  out  the  universal  quantifiers,  p  can  be  rewritten  as 

2  •  •  •  34. (A(*  1, *2,  •  •  •  ,4)  =>  C) 

Formula  p  can  be  verified  in  UCLID  in  two  ways.  The  first  method  involves  proving  a  more 
conservative  version  of  p.  namely  the  formula 

V*i-V*2  •  ■  ■  •  •  •  ,4)  =>  C) 
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Notice  that  the  above  formula  is  of  the  kind  handled  in  item  1  above,  and  so  can  be  translated 
to  an  equivalent  formula  in  CLU. 

Often,  the  more  conservative  property  fails  to  hold,  and  other  techniques  arc  needed.  The 
second  method  involves  the  use  of  instantiation.  Instantiation  is  the  process  by  which  the 
universal  quantifier  over  the  antecedent  of  p  is  converted  to  a  finite  conjunction  of  instances 
of  the  antecedent.  Each  instance  is  generated  by  assigning  a  symbolic  constant  to  a  quantified 
variable,  and  dropping  the  universal  quantifier  over  that  variable.  For  example,  the  above 
formula  p  would  get  translated  to  a  new  formula  pinst  given  below 

(  A(tj1 , tj2, . . .  ,tjk))  =>  c 

fl  ■  ■  ■  ■  dfc  t 

This  procedure  is  sound,  but  necessarily  incomplete,  because  it  would  otherwise  imply  the 
decidability  of  first-order  logic.  In  other  words,  if  Pinst  is  valid,  so  is  p,  but  p  could  be  valid 
without  pinst  being  valid.  We  have  found  that  using  an  instantiation  technique  is  often  useful 
in  proving  the  validity  of  the  property  of  interest. 

UCLID  version  2.0  incorporates  a  simple  heuristic  strategy  to  instantiate  the  antecedent, 
which  has  had  some  success.  The  strategy  essentially  involves  instantiating  each  quanti¬ 
fied  variables  with  all  relevant  terms  from  the  consequent  formula  C.  Further  details  of  this 
procedure  are  available  elsewhere  [89]. 

Instantiation  may  be  specified  in  the  UCLID  language  as  follows.  For  the  property  p  given 
above,  the  user  would  write  a  corresponding  UCLID  formula  (of  type  TRUTH)  as  given  below 
(assume  k  —  2) 


FORALL ( i 1 ,  12)  A(il,  ±2 )  =>  C 

where  A  and  C  arc  UCLID  truth-expressions  corresponding  to  A  and  C  above,  respectively. 

3.  Universal  Quantification  performed  separately  over  variables  appearing  in  the  antecedent 
and  in  the  consequent:  The  general  form  of  a  formula  q  of  this  kind  is 


(Vii-Vi2  •  •  •  i2:  ■  ■  ■  ,4))  A*  (Vji.Vj2  •  •  •  j25  •  •  •  jjn)) 

where  A(i1?T 2, ...  ,4)  and  C(ji,  j2,  •  •  ■  ,  jn)  are  arbitrary  formulas  in  CLU  so  that  i  i .  , . .  ,4 

do  not  appeal-  free  in  C(j1,j2,  ■■■  Jn), and  ji,  j2,  ■  •  •  ,  jn  do  not  appeal-  free  in  A(iu  *2#  ■  ■  ■  ,4)- 

q  is  equivalent  to  the  following  formula 


Vjx.Vj2  ■  ■  ■  Vjn.(V*i-V*2  ■  ■  ■  *2^*  ,4)  =>  U(ji ,  J2 5  ■  ■  ■  5  Jn)) 
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which  in  turn  is  equivalent  to 


(V*1-V*2  •  •  •  V4-A(*l,  *2>  ■  ,ik)  =>  C(jl,j2,  ■  ■  ■  :jn )) 


Notice  that  the  last  formula  above  is  in  the  form  of  item  2  above.  Therefore,  we  can  handle 
this  formula  using  the  conservative  approach  and  the  instantiation  techniques  described  in 
item  2. 

However,  UCLID  version  2.0  allows  the  user  to  be  explicit  about  which  variables  are  being 
universally  quantified  in  the  consequent  C.  Thus,  for  k  —  1  and  n  —  2,  q  may  be  written  in 
UCLID  as 


FORALL ( i 1 )  A ( i 1 )  =>  FORALL ( j 1 ,  j 2 )  C(jl,  j 2 ) 

In  UCLID  version  2.0,  this  will  have  exactly  the  same  effect  as  writing 
FORALL ( i 1 )  A ( il )  =>  C(jl,  j 2 ) 

Automatic  instantiation  is  a  fairly  expensive  operation  —  the  formula  blows  up  exponentially  with 
increase  in  the  number  of  variables  to  be  instantiated.  Fortunately,  automatic  instantiation  need 
not  always  be  done.  Consider  the  class  of  properties  that  impose  constraints  on  the  values  of  state 
variables.  In  these  cases,  the  user  can  encode  the  invariant  into  the  init  state  assignment  to  those 
variables.  Such  an  invariant  has  the  form  v  —  P,  where  v  is  a  state  variable  and  P  is  a  case 
expression  enumerating  all  the  possible  expressions  v  can  evaluate  to  along  with  the  conditions 
under  which  v  can  equal  them. 

In  the  case  of  inductive  invariant  checking,  if  the  invariant  formula  on  a  variable  v  is  denoted  by 
Inv,  then  instead  of  checking  the  validity  of  a  formula  of  the  form  Inv  =>  Next(Inv),  we  merely 
encode  Inv  into  the  initial  state  of  v,  simulate  for  one  step,  and  then  check  Next(Inv). 

Consider  the  example  of  section  A.  1.2.  Suppose  we  wanted  to  prove  the  following  property  using 
inductive  invariant  checking: 

(traff icLight . timer  =  ZERO)  =>  (traff icLight . light  =  red) 

We  could  encode  the  invariant  into  the  initial  state  as  follows: 

init [light]  :=  case 

timer  =  ZERO  :  red; 

default  :  {red,  yellow,  green); 

esac; 

Further  Information 


More  information  on  UCLID  usage  can  be  found  in  the  user’s  manual  [137]. 
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